Chinese Houken Hackers Exploiting Ivanti CSA Zero-Days to Deploy Linux Rootkits

A sophisticated Chinese threat group identified as Houken has been exploiting multiple zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) devices to deploy advanced Linux rootkits and establish persistent access to critical infrastructure networks.

The campaign, which began in September 2024, has successfully compromised organizations across governmental, telecommunications, media, finance, and transport sectors in France and beyond.

The attack leverages a chain of three critical vulnerabilities: CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380, all exploited as zero-days before Ivanti’s security advisories were published.

This coordinated exploitation demonstrates the threat actors’ advanced capabilities in vulnerability research and their access to previously unknown security flaws.

The campaign’s global reach extends across Southeast Asia, Europe, and the United States, with particular focus on research institutions, non-governmental organizations, and entities of strategic intelligence value.

CERT SSI analysts identified the Houken intrusion set through comprehensive forensic analysis of compromised French infrastructure, revealing operational patterns consistent with China Standard Time (UTC+8) activities.

The investigation uncovered links between Houken and the previously documented UNC5174 intrusion set, suggesting coordination by a common threat actor operating as an initial access broker for state-sponsored intelligence collection.

The attackers demonstrate a paradoxical blend of sophisticated techniques and commodity tools, utilizing zero-day exploits alongside open-source utilities primarily developed by Chinese-speaking programmers.

Their infrastructure combines commercial VPN services including NordVPN and ExpressVPN with dedicated command-and-control servers, indicating either multi-actor collaboration or deliberately diverse operational security practices.

Advanced Rootkit Deployment and Persistence Mechanisms

The most concerning aspect of Houken’s toolkit is their deployment of a previously unobserved Linux rootkit comprising two components: a kernel module (sysinitd.ko) and a user-space executable (sysinitd).

This sophisticated persistence mechanism hijacks inbound TCP traffic across all ports, enabling remote command execution with root privileges through a technique that bypasses traditional network monitoring.

The rootkit installation begins with the execution of webshells created through vulnerability exploitation.

For example, attackers use CVE-2024-9380 to inject malicious PHP code:-

echo " /opt/landesk/broker/webroot/rc/help.php

Once initial access is established, the threat actors deploy the rootkit components and establish multiple persistence mechanisms.

They modify legitimate PHP scripts by appending malicious code to /etc/php.ini, enabling universal command execution regardless of which web page is accessed. The modification includes setting allow_url_include = On and utilizing base64-encoded PHP eval functions that decode to “.

The rootkit’s TCP hijacking capability represents a significant advancement in persistence technology, allowing attackers to maintain access even when traditional backdoors are discovered and removed, making detection and remediation particularly challenging for defenders.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now