On July 1, 2025, the French cybersecurity agency ANSSI published a report detailing a sophisticated attack campaign executed by a highly skilled cybercrime group known as Houken. This group has exploited multiple zero-day vulnerabilities—specifically CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380—in Ivanti Cloud Service Appliance (CSA) devices, effectively compromising high-value targets across France.
Targets included vital sectors such as government agencies, defense organizations, telecommunications providers, financial institutions, media outlets, and transportation networks. The attacks were initiated in September 2024, with the group aiming to establish an initial foothold into networks of French entities. The vulnerabilities they exploited were previously unknown to both Ivanti and the public, enabling the attackers to execute code remotely on compromised devices.
ANSSI’s investigation indicated that the Houken group, potentially linked to the Chinese threat actor UNC5174, deployed complex tools including a specialized rootkit, specifically a kernel module named sysinitd.ko, alongside various user-space executables. The group also made use of numerous open-source tools that are believed to have been developed by Chinese-speaking developers.
Upon breaching Ivanti CSA devices, Houken hackers conducted reconnaissance and lateral movement within victim networks, compromising additional infrastructure like F5 BIG-IP devices. ANSSI has raised suspicions that the group operates as an initial access broker, gaining entry to sensitive systems with the intent to sell access to other groups that may engage in deeper surveillance activities.
While the main objective appears to be selling access for intelligence purposes, ANSSI noted instances of data theft and attempts to install cryptocurrency miners, indicating that direct financial gain is also a consideration for this group. The Houken group has a wide array of targets beyond France, which includes organizations in Southeast Asia and Western countries. Their operational patterns suggest alignment with China Standard Time (UTC+8), and they have utilized a diverse attack infrastructure comprising commercial VPN services, dedicated servers, and residential or mobile IP addresses to mask their activities.
The link between Houken and UNC5174 is underscored by similar operational behaviors, such as the creation of bespoke user accounts and notably, the patently unusual practice of patching the vulnerabilities they exploited. Garrett Calpouzos, a Principal Security Researcher at Sonatype, pointed out that this tactic has been increasingly observed among advanced threat actors. By addressing the flaws post-exploitation, Houken effectively stymies other hackers from leveraging the same vulnerabilities, allowing them to maintain a stealthy presence within their targets.
Calpouzos highlighted the critical need for organizations to secure internet-exposed systems, particularly those vulnerable to remote code execution (RCE) attacks. He also indicated that these incidents present unique challenges for high-value targets, such as government entities, which often confront bureaucratic obstacles that delay effective response actions.
The Houken group remains active in the threat landscape, with experts predicting the continuation of their focus on internet-exposed devices globally. In light of such sophisticated attacks, organizations must consider the tactics and techniques outlined in the MITRE ATT&CK framework, including initial access, persistence, lateral movement, and privilege escalation, to better understand the vulnerabilities they face and strengthen their cybersecurity postures.
