{
	"id": "0833e127-a90a-4db3-ab5e-cd4a8e07a8e7",
	"created_at": "2026-04-06T00:11:05.907145Z",
	"updated_at": "2026-04-10T03:36:00.879002Z",
	"deleted_at": null,
	"sha1_hash": "296eca78883bf059ab2185ce1b208b72e054c78e",
	"title": "Rapport menaces et incidents - CERT-FR",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 34375,
	"plain_text": "Rapport menaces et incidents - CERT-FR\r\nArchived: 2026-04-05 17:22:40 UTC\r\nUne gestion de version détaillée se trouve à la fin de ce document.\r\nIn September 2024, ANSSI observed an attack campaign seeking initial access to French entities’ networks\r\nthrough the exploitation of several zero-day vulnerabilities on Ivanti Cloud Service Appliance (CSA) devices.\r\nFrench organizations from governmental, telecommunications, media, finance, and transport sectors were\r\nimpacted. ANSSI’s investigations led to the conclusion that a unique intrusion set was leveraged to conduct this\r\nattack campaign. The Agency named this intrusion set « Houken ». Moderately sophisticated, Houken can be\r\ncharacterized by an ambivalent use of resources. While its operators use zero-day vulnerabilities and a\r\nsophisticated rootkit, they also leverage a wide number of open-source tools mostly crafted by Chinese-speaking\r\ndevelopers. Houken’s attack infrastructure is made up of diverse elements - including commercial VPNs and\r\ndedicated servers.\r\nANSSI suspects that the Houken intrusion set is operated by the same threat actor as the intrusion set previously\r\ndescribed by MANDIANT as UNC5174. Since 2023, Houken is likely used by an access broker to gain a foothold\r\non targeted systems, which could eventually be sold to entities interested in carrying out deeper post-exploitation\r\nactivities. Though already documented for its opportunistic exploitation of vulnerabilities on edge devices, the use\r\nof zero-days by a threat actor linked to UNC5174 is new to ANSSI’s knowledge. The operators behind the\r\nUNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence. However, ANSSI also observed one case of data exfiltration as well as\r\nan interest in the deployment of cryptominers, indicating straight-forward profit-driven objectives.\r\nDownload the report\r\nGestion détaillée du document\r\nle 01 juillet 2025\r\nVersion initiale\r\nle 04 juillet 2025\r\nVersion 1.1\r\nSource: https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-009/\r\nhttps://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-009/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-009/"
	],
	"report_names": [
		"CERTFR-2025-CTI-009"
	],
	"threat_actors": [
		{
			"id": "b302cfdb-30c9-4dce-a968-d2398dda820d",
			"created_at": "2024-03-28T02:00:05.789775Z",
			"updated_at": "2026-04-10T02:00:03.611467Z",
			"deleted_at": null,
			"main_name": "UNC5174",
			"aliases": [
				"Uteus"
			],
			"source_name": "MISPGALAXY:UNC5174",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8bcbeb8a-111b-4ea1-a72b-5c7abd8ef132",
			"created_at": "2025-11-01T02:04:53.050049Z",
			"updated_at": "2026-04-10T02:00:03.774442Z",
			"deleted_at": null,
			"main_name": "BRONZE SNOWDROP",
			"aliases": [
				"UNC5174 "
			],
			"source_name": "Secureworks:BRONZE SNOWDROP",
			"tools": [
				"Metasploit",
				"SNOWLIGHT",
				"SUPERSHELL",
				"Sliver",
				"VShell"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ba909e34-bce1-4af4-b89a-3e855718f193",
			"created_at": "2026-01-18T02:00:03.059161Z",
			"updated_at": "2026-04-10T02:00:03.898068Z",
			"deleted_at": null,
			"main_name": "Houken",
			"aliases": [],
			"source_name": "MISPGALAXY:Houken",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434265,
	"ts_updated_at": 1775792160,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/296eca78883bf059ab2185ce1b208b72e054c78e.pdf",
		"text": "https://archive.orkl.eu/296eca78883bf059ab2185ce1b208b72e054c78e.txt",
		"img": "https://archive.orkl.eu/296eca78883bf059ab2185ce1b208b72e054c78e.jpg"
	}
}