ANSSI vs. Houken: France Battles Advanced Chinese Hacking Threat

In this episode, we uncover a high-stakes cyber campaign targeting the heart of French digital infrastructure. ANSSI, France’s national cybersecurity agency, has exposed a Chinese-linked hacking group known as Houken (UNC5174 or Uteus) responsible for a widespread espionage operation since late 2024. This state-adjacent threat actor infiltrated critical sectors including government, media, transport, telecom, and finance using an arsenal of sophisticated tactics—blending zero-day exploits, rootkits, and stealthy post-exploitation tools.

The Houken group leveraged multiple zero-day vulnerabilities in Ivanti Cloud Service Appliances (CSA)—CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380—to gain initial access. But this wasn’t just about intrusion; Houken’s operators dug in deep: stealing credentials, moving laterally, and deploying a rare Linux kernel-mode rootkit capable of hijacking any inbound TCP traffic while remaining virtually invisible to traditional defenses.

What sets this campaign apart isn’t just its technical sophistication—it’s the hybrid nature of the threat. ANSSI suggests Houken may be a cyber mercenary group, simultaneously working in the service of China’s Ministry of State Security (MSS) and pursuing financial gains, such as cryptocurrency mining and reselling system access. This “multiparty approach” signifies a dangerous evolution in cybercrime—where espionage and monetization coexist within a single operational framework.

We delve into:

• The attack chain: from zero-day exploitation to credential harvesting and stealth persistence.
• The rootkit sysinitd.ko: a kernel module granting root-level command execution while avoiding detection.
• Defense evasion tactics: including timestomping, log deletion, and self-patching vulnerabilities to lock out rival threat actors.
• Houken’s toolkit: a mix of commodity utilities (Nmap, Netcat, Fscan) and custom implants (PHP webshells, SparkRAT, Neo-reGeorg).
• Operational clues that tie activity to China Standard Time (UTC+8) and highlight probable MSS alignment.

This is more than a breach. It’s a signal that cyber mercenary operations are maturing, and European states are squarely in the crosshairs. The Houken campaign forces a reconsideration of perimeter defenses, zero-day management, and detection strategies for advanced persistent threats.

Whether you’re a security architect, CISO, or public sector technologist, this episode provides a deep and essential briefing on one of the most sophisticated cyber espionage efforts uncovered in 2025.