{
	"id": "c5aa296d-b15b-4e71-b336-6e4b8708dc70",
	"created_at": "2026-04-06T00:15:25.238002Z",
	"updated_at": "2026-04-10T03:36:00.883582Z",
	"deleted_at": null,
	"sha1_hash": "dec88ee829910d71dc2b8f03cf4e62f0936837a6",
	"title": "ANSSI Exposes \"Houken\": China-Linked APT Exploiting Ivanti CSA Zero-Days \u0026 Deploying Linux Rootkits",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68017,
	"plain_text": "ANSSI Exposes \"Houken\": China-Linked APT Exploiting Ivanti\r\nCSA Zero-Days \u0026 Deploying Linux Rootkits\r\nBy ddos\r\nPublished: 2025-07-07 · Archived: 2026-04-05 13:48:29 UTC\r\nThe French cybersecurity agency has announced a large-scale cyberattack targeting key sectors of the nation.\r\nGovernment institutions, telecommunications firms, media organizations, the financial sector, and transport\r\nentities were all placed in the crosshairs. The malicious campaign has been attributed to a Chinese hacking group\r\nthat exploited previously unknown vulnerabilities in Ivanti’s Cloud Services Appliance (CSA).\r\nHacking \u0026 Cracking\r\nThe discovered attacks date back to September 2024. Responsibility has been assigned to a group known as\r\nHouken, whose activities, according to experts, overlap with those of the cybercriminal cluster UNC5174—also\r\nreferred to as Uteus or Uetus—which has previously been tracked by Google’s Mandiant team.\r\nFrance’s National Agency for the Security of Information Systems (ANSSI) reported that the attackers employed\r\nnot only zero-day vulnerabilities and a sophisticated rootkit but also an extensive array of open-source tools,\r\npredominantly developed by Chinese-speaking programmers. Houken’s infrastructure includes the use of\r\ncommercial VPNs and dedicated servers, allowing it to effectively obfuscate the origins of its attacks.\r\nhttps://meterpreter.org/anssi-exposes-houken-china-linked-apt-exploiting-ivanti-csa-zero-days-deploying-linux-rootkits/\r\nPage 1 of 3\n\nAccording to French analysts, Houken has been actively utilized by so-called initial access brokers since 2023.\r\nThese intermediaries breach systems and subsequently sell access to other cybercriminals, who then carry out\r\nfurther exploitation of the compromised networks. This modular approach suggests the involvement of multiple\r\nthreat groups, each responsible for a different phase of the operation—from vulnerability discovery to\r\nmonetization.\r\nHarfangLab notes that typically, one group identifies a vulnerability, another exploits it at scale to infiltrate\r\nnetworks, and the resulting access is sold to interested third parties—often those with ties to state entities.\r\nExperts believe that the primary objective of UNC5174 and Houken is to infiltrate strategically valuable targets\r\nand sell access to government-aligned buyers seeking intelligence. However, these actors are not confined to cyber\r\nespionage. In at least one instance, the gained access was used to install cryptocurrency miners, indicating\r\nfinancial motivations as well.\r\nUNC5174 has previously been linked to attacks on SAP NetWeaver systems, deploying malware such as\r\nGOREVERSE, a variant of GoReShell. The group has also been associated with exploitation of vulnerabilities in\r\nproducts from Palo Alto Networks, ConnectWise ScreenConnect, and F5 BIG-IP, through which they distributed\r\nmalware known as SNOWLIGHT—used to install a Go-based tunneling tool called GOHEAVY.\r\nSentinelOne has reported that the same group breached a major European media company in September 2024. In\r\nthe recent attacks on French organizations, the perpetrators exploited three vulnerabilities in Ivanti CSA—CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190. These zero-day flaws allowed the attackers to stealthily\r\ninfiltrate systems, obtain credentials, and establish persistent access within targeted infrastructures.\r\nHacking \u0026 Cracking\r\nTo maintain their foothold, the attackers employed three methods: installing PHP web shells directly, modifying\r\nexisting PHP scripts to embed stealthy web shell functions, and deploying a rootkit injected at the kernel level.\r\nWell-known public web shells such as Behinder and neo-reGeorg were actively used. Once persistence was\r\nachieved, lateral movement across networks was executed using GOREVERSE, alongside the suo5 HTTP proxy\r\ntunnel and a Linux kernel module dubbed “sysinitd.ko,” previously observed by Fortinet researchers.\r\nAccording to ANSSI, the sysinitd.ko module and its associated user-space executable “sysinitd” were deployed\r\nvia a script named install.sh. This toolkit enabled attackers to intercept all inbound TCP traffic and execute\r\ncommands with root privileges.\r\nBeyond technical sophistication, experts noted a distinct operational trait: the attackers operated from the UTC+8\r\ntime zone, aligning with Chinese standard time. Moreover, the perpetrators attempted to patch exploited\r\nvulnerabilities post-compromise to prevent rival hacking groups from gaining access.\r\nANSSI concludes that the scale of these attacks indicates a broad array of targets—including government and\r\nacademic institutions in Southeast Asia, NGOs in China, Hong Kong, and Macau, as well as governmental,\r\ndefense, educational, media, and telecom entities in Western nations.\r\nhttps://meterpreter.org/anssi-exposes-houken-china-linked-apt-exploiting-ivanti-csa-zero-days-deploying-linux-rootkits/\r\nPage 2 of 3\n\nThe striking similarity in tactics between Houken and UNC5174 suggests that both may be fronts for a single\r\ncriminal entity, operating as a private syndicate that trades in system access and confidential data while\r\nsimultaneously conducting its own lucrative operations.\r\nPost navigation\r\nSource: https://meterpreter.org/anssi-exposes-houken-china-linked-apt-exploiting-ivanti-csa-zero-days-deploying-linux-rootkits/\r\nhttps://meterpreter.org/anssi-exposes-houken-china-linked-apt-exploiting-ivanti-csa-zero-days-deploying-linux-rootkits/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://meterpreter.org/anssi-exposes-houken-china-linked-apt-exploiting-ivanti-csa-zero-days-deploying-linux-rootkits/"
	],
	"report_names": [
		"anssi-exposes-houken-china-linked-apt-exploiting-ivanti-csa-zero-days-deploying-linux-rootkits"
	],
	"threat_actors": [
		{
			"id": "b302cfdb-30c9-4dce-a968-d2398dda820d",
			"created_at": "2024-03-28T02:00:05.789775Z",
			"updated_at": "2026-04-10T02:00:03.611467Z",
			"deleted_at": null,
			"main_name": "UNC5174",
			"aliases": [
				"Uteus"
			],
			"source_name": "MISPGALAXY:UNC5174",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8bcbeb8a-111b-4ea1-a72b-5c7abd8ef132",
			"created_at": "2025-11-01T02:04:53.050049Z",
			"updated_at": "2026-04-10T02:00:03.774442Z",
			"deleted_at": null,
			"main_name": "BRONZE SNOWDROP",
			"aliases": [
				"UNC5174 "
			],
			"source_name": "Secureworks:BRONZE SNOWDROP",
			"tools": [
				"Metasploit",
				"SNOWLIGHT",
				"SUPERSHELL",
				"Sliver",
				"VShell"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ba909e34-bce1-4af4-b89a-3e855718f193",
			"created_at": "2026-01-18T02:00:03.059161Z",
			"updated_at": "2026-04-10T02:00:03.898068Z",
			"deleted_at": null,
			"main_name": "Houken",
			"aliases": [],
			"source_name": "MISPGALAXY:Houken",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434525,
	"ts_updated_at": 1775792160,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dec88ee829910d71dc2b8f03cf4e62f0936837a6.pdf",
		"text": "https://archive.orkl.eu/dec88ee829910d71dc2b8f03cf4e62f0936837a6.txt",
		"img": "https://archive.orkl.eu/dec88ee829910d71dc2b8f03cf4e62f0936837a6.jpg"
	}
}