China Linked Houken Hackers Breach French Systems with Ivanti Zero Days

In a report published by ANSSI on July 1, 2025, the French cybersecurity agency revealed a highly skilled cybercrime group, dubbed Houken, has carried out a sophisticated attack campaign exploiting multiple zero-day vulnerabilities (CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380) in Ivanti Cloud Service Appliance (CSA) devices.

This group, believed to be linked to the Chinese threat actor UNC5174, infiltrated high-value targets across France. Affected sectors included government bodies, defence organizations, telecommunications providers, financial institutions, media outlets, and transport networks.

The attacks were first observed in September 2024, targeting French entities seeking initial access to their networks. These zero-day vulnerabilities, meaning they were unknown to Ivanti and the public until exploited, allowed the attackers to remotely execute code on vulnerable devices.

ANSSI’s investigation revealed that this group uses complex tools like a specialized rootkit, specifically a kernel module named sysinitd.ko and a user-space executable sysinitd, but also rely on many open-source tools often created by Chinese-speaking developers.

After gaining initial access through Ivanti CSA devices, Houken hackers also performed reconnaissance and moved laterally within victim networks, even compromising other devices such as F5 BIG-IP.

ANSSI suspects that Houken hackers act as an initial access broker. This means they gain a foothold in sensitive systems, possibly to sell access to other groups interested in deeper spying activities.

While their main goal seems to be selling access for intelligence, ANSSI also saw one instance of data theft and attempts to install cryptocurrency miners, suggesting they sometimes look for direct financial gain.

The Houken group has a broad range of targets beyond France, including organizations in Southeast Asia and Western countries. Their activities, including observations of their operational hours, align with China Standard Time (UTC+8). To conceal their operations, the group utilized a diverse attack infrastructure, including commercial VPN services, dedicated servers, and even residential or mobile IP addresses.

The links between Houken and UNC5174, a group previously described by Mandiant, are strong as both groups exhibit similar behaviours, such as creating specific user accounts and, notably, patching vulnerabilities after exploitation.

What makes this campaign particularly noteworthy is the cunning move by the attackers: they patched the very vulnerabilities they used to get in. Garrett Calpouzos, Principal Security Researcher at Sonatype, noted in his comment shared with Hackread.com that this is “a tactic we’re seeing more frequently among advanced threat actors.” By fixing the flaw after their entry, Houken phackers revented other hacking groups from using the same weak spots, helping them stay hidden longer. This suggests a desire for continued, undetected access to their targets.“

Calpouzos emphasized the importance of securing internet-facing systems, especially with “remote code execution (RCE) vulnerabilities.” He also highlighted that these incidents underscore “unique risks facing high-value targets such as government agencies, which often struggle to act quickly due to bureaucratic hurdles.”

The Houken group remains active, and experts expect them to continue targeting internet-exposed devices worldwide.