Houken Hacker Group Exploits Ivanti Zero-Days in Sophisticated Cyberespionage Campaign

French Authorities Uncover Advanced Cyber Intrusion Targeting Strategic Sectors

A newly discovered cyber espionage campaign targeting critical French industries has raised significant alarms within the cybersecurity community. The French national cybersecurity agency (ANSSI) has exposed an aggressive operation attributed to a threat actor known as “Houken”, closely linked to the previously identified UNC5174 group. Beginning in September 2024, this operation leveraged multiple zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) systems, compromising vital infrastructure across sectors such as government, media, telecommunications, finance, and transport. The nature of the attack, its reliance on both bespoke and commodity tools, and evidence of intelligence-gathering activities strongly indicate ties to China’s Ministry of State Security (MSS).

Coordinated Exploitation and Intelligence Objectives

Houken’s campaign marked a dangerous evolution in access-broker operations. The group successfully exploited three zero-day vulnerabilities—CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380—before Ivanti released any public security advisories. By chaining these vulnerabilities, the hackers were able to execute remote code and gain persistent access to exposed Ivanti CSA appliances. Once inside, the attackers extracted administrative credentials using base64-encoded Python scripts, deployed custom and open-source PHP webshells, and installed a Linux kernel rootkit (“sysinitd.ko”) in high-value targets. The rootkit allowed them covert, persistent access with root privileges through TCP hijacking.

Their activity

ANSSI’s findings showed that Houken utilized a mix of anonymization techniques, including major VPN services (NordVPN, ExpressVPN, Proton VPN) and rented VPS servers from HOSTHATCH, ColoCrossing, and JVPS.hosting. They operated primarily through Chinese ISP addresses, suggesting UTC+8 time zone alignment. While the campaign’s advanced aspects included rootkit deployment and zero-day exploitation, Houken relied extensively on open-source tools popular in Chinese-speaking developer communities. Examples include Behinder (Ice Scorpion), Neo-reGeorg, VShell, Suo5, and ffuf—all available via GitHub.

Evidence points to Houken being a sophisticated private contractor likely operating on behalf of Chinese state interests. Their behavior aligns with access-broker models, where footholds into foreign systems are sold or shared with state-backed actors for intelligence operations. One instance even involved the deployment of a Monero cryptominer, suggesting occasional for-profit motives. Despite these occasional deviations, the group remains highly focused on strategic objectives and is expected to continue targeting edge devices globally.

What Undercode Say:

Strategic Targeting Signals State-Backed Intent

Houken’s selection of targets—including government agencies, media companies, and transport infrastructure—indicates that this was not a random attack. Rather, it represents a calculated espionage operation with long-term intelligence collection goals. This focus on high-value data, particularly sensitive communications, points to alignment with geopolitical strategies, most likely under state direction.

Exploiting the Zero-Day Advantage

The campaign showcases the significant leverage attackers gain when operating ahead of public security disclosures. Houken’s ability to exploit Ivanti CSA vulnerabilities before any official patch or warning gave them a critical window of opportunity to access networks with minimal resistance. This underlines the pressing need for enterprises to adopt proactive security models based on threat intelligence, not just vendor alerts.

Sophistication Meets Open-Source Simplicity

One of the most fascinating aspects of this campaign is the juxtaposition of elite-level exploits with freely available tools. Houken operators used complex rootkits and developed unique persistence mechanisms, yet also heavily relied on GitHub-sourced utilities like Ice Scorpion and Neo-reGeorg. This hybrid approach speaks to both the efficiency and cost-effectiveness of modern cyber warfare tactics, where even state-sponsored actors embrace open-source software to lower development time.

Shadow Infrastructure: VPS and VPN

Houken’s infrastructure strategy was a masterclass in obfuscation. By combining dedicated VPS servers from lesser-known hosting providers with well-known VPN services, they built resilient command-and-control networks. These techniques complicate attribution and highlight the growing challenge for defenders trying to trace attack origins through anonymized layers.

Tactics Mimic Known Chinese APT Groups

The attribution of Houken to the UNC5174 group—already flagged by Google and Mandiant—reinforces the pattern of advanced persistent threat (APT) groups working in coordination with Chinese intelligence. Their operational methods, including reusing webshell filenames and self-patching vulnerabilities, mirror known APT behaviors. The time zone alignment, infrastructure patterns, and tooling all point toward a China-based operation with professional-grade coordination.

Hybrid Motives: Espionage Meets Cryptocurrency Mining

While the primary goal of the campaign was clearly espionage, the presence of a Monero cryptominer reveals a secondary motive: financial gain. This dual-purpose approach isn’t new but reinforces the idea that some operations are structured to generate additional revenue streams, possibly as bonuses for contractors or as budget offsets for clandestine missions.

Implications for Edge Security

Ivanti’s appliances, designed for secure cloud services, became the weak link in many networks. This underlines a broader vulnerability in the modern digital landscape—edge devices are often overlooked despite sitting at critical points of access. Attackers like Houken exploit this blind spot with ruthless efficiency, making edge security the next frontier in cyber defense.

Why Attribution Matters

Clear attribution helps define the geopolitical stakes. When cyber campaigns like Houken’s are linked to specific state apparatuses, the conversation shifts from IT security to national security. France’s public attribution via ANSSI sends a strong diplomatic signal, possibly paving the way for international response or sanctions.

Broader Threat for Europe

Though the campaign was concentrated in France, the implications are European-wide. Edge vulnerabilities, especially in widely used infrastructure appliances, offer transnational entry points. What happened in France could just as easily occur in Germany, Spain, or the UK. This calls for a unified continental approach to cybersecurity, threat intelligence sharing, and patch management.

🔍 Fact Checker Results:

✅ Houken exploited three real CVEs in Ivanti appliances
✅ ANSSI linked the group to UNC5174 with evidence of MSS affiliation
✅ Use of open-source tools like Ice Scorpion and ffuf is confirmed in the campaign

📊 Prediction:

Future state-sponsored attacks will increasingly blend zero-day exploitation with open-source toolchains to obscure attribution and reduce operational costs. As Ivanti-like edge devices remain attractive targets, similar campaigns are expected to rise in Europe and Asia, especially around elections or diplomatic negotiations. Defensive focus must shift toward preemptive threat modeling and cross-border cybersecurity collaboration. 🔐🌐

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin