China-Linked Threat Actor Exploits and Self-Patches Zero-Day Vulnerabilities to Control Network Access

In a rare and intriguing cyber tactic, a suspected China-affiliated initial access broker has been exploiting unpatched zero-day vulnerabilities to infiltrate victim networks—and then patching those same vulnerabilities themselves. This unique “self-patching” technique effectively locks out rival hackers from accessing the compromised systems, ensuring exclusive control over these digital footholds. The French national cybersecurity agency, ANSSI, uncovered this behavior while investigating attacks on French organizations last year, and they believe the campaign remains active.

the Incident and Threat Actor Activity

The attacker, tracked by ANSSI under the codename “Houken” and by Mandiant as UNC5174, has been exploiting three zero-day vulnerabilities in Ivanti Connect Secure devices—specifically CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380. These vulnerabilities had not yet been patched by Ivanti when exploited, allowing the adversary to gain initial access stealthily. Once inside the network, the threat actor would harvest credentials, establish persistent access, and then patch the exploited vulnerabilities themselves. This self-patching behavior serves to prevent other threat groups from exploiting the same entry points, effectively maintaining exclusive control over the compromised networks.

ANSSI’s assessment suggests that Houken operates as an initial access broker, selling access to compromised systems to other criminal enterprises. However, the group has also shown the capability to conduct further offensive actions, such as lateral movement and deploying additional persistence mechanisms within networks.

Mandiant’s investigations link UNC5174 to China’s Ministry of State Security (MSS), describing it as a likely contractor involved in extensive espionage campaigns targeting defense contractors, government agencies, and various organizations across the US, UK, Canada, and Asia. Similar self-patching tactics were also observed during attacks on F5 devices by the same threat actor.

Cybersecurity experts, including

ANSSI characterizes Houken as a moderately sophisticated actor—combining advanced techniques such as zero-day exploitation and rootkits with the use of open-source tools, commercial VPNs, and residential IP addresses, reflecting a mix of high and low-resource tactics. The group has targeted diverse sectors in France, including finance, media, transportation, telecom, and government, while also focusing heavily on organizations in Southeast Asia.

What Undercode Say:

The emergence of self-patching by threat actors represents a significant evolution in the cat-and-mouse game of cybersecurity. Traditionally, threat actors exploit vulnerabilities without concern for others who might follow, often leaving systems exposed for subsequent attacks. Houken’s approach to immediately patch exploited zero-days signals an effort to establish monopoly control over compromised environments, highlighting both their strategic acumen and the competitive nature of the cybercrime ecosystem.

This tactic underlines the growing professionalization of cybercrime—threat actors are not only technically adept but also operate with business-like efficiency, aiming to maximize profits and minimize risk by controlling their digital assets. By blocking rival access, they reduce the chance of detection caused by noisy, competing intrusions and safeguard their resale value for initial access.

From a defender’s perspective, these developments complicate incident response. Organizations might be under the impression that once a vulnerability is patched, they are secure, but Houken’s behavior means they might already be compromised and locked in by a sophisticated adversary. It also stresses the importance of proactive threat hunting, monitoring for signs of persistence beyond patch deployment, and the need for comprehensive visibility into network environments.

Moreover, the blend of high-end custom exploits with more accessible tools and VPNs suggests a hybrid operational model. This approach enables threat actors to balance sophistication with cost-effectiveness, likely adapting their tactics based on target value and operational priorities.

Geopolitically, the connection to China’s MSS adds a layer of complexity, reflecting ongoing cyber espionage efforts targeting government, defense, and critical infrastructure worldwide. This campaign reinforces the persistent threat posed by state-sponsored or state-affiliated groups using initial access brokers as force multipliers to broaden their reach.

Going forward, defenders should prioritize enhanced detection of lateral movement and persistence mechanisms, even on seemingly patched systems, and consider threat intelligence that includes information about self-patching adversaries. Collaboration between international cybersecurity agencies like ANSSI and private sector researchers will be crucial to countering these sophisticated threats.

🔍 Fact Checker Results

✅ The Ivanti Connect Secure vulnerabilities exploited (CVE-2024-8190, CVE-2024-8963, CVE-2024-9380) are confirmed zero-days at the time of attack, as verified by ANSSI and Ivanti.

✅ The attribution of the UNC5174 group to China’s MSS is supported by Mandiant’s investigations, consistent with previous targeting patterns.

❌ There is no evidence suggesting the Houken group has ceased operations; reports indicate ongoing campaigns.

📊 Prediction

Given the demonstrated sophistication and strategic use of self-patching, it is likely we will see more initial access brokers adopting similar techniques to secure their footholds. This will increase the challenge for defenders, who must detect intrusions that are actively defended by the attackers themselves.

Furthermore, as geopolitical tensions persist, threat actors tied to nation-states will continue leveraging zero-day vulnerabilities for espionage, making zero-day hunting and proactive patching critical priorities.

In the next 12 to 24 months, collaboration between cybersecurity firms and national agencies will become even more vital. Real-time sharing of threat intelligence on initial access brokers and their evolving tactics, including self-patching, will be essential to preempt attacks and protect high-value targets.

Finally, the business model of initial access brokers will likely evolve, with increased focus on exclusivity, raising prices for access to compromised networks, and potentially bundling services such as self-patching and ongoing network defense against rivals as part of their offerings. This could further professionalize the cybercrime underground and complicate defensive efforts.