🇬🇧 Houken seeking a path by living on the edge with zero-days (01 juillet 2025)

ANSSI observed a September 2024 campaign leveraging multiple zero-day vulnerabilities in Ivanti Cloud Service Appliance devices to gain initial access to French governmental, telecommunications, media, finance, and transport networks. The intrusion set, named Houken and linked to MANDIANT's UNC5174, employs zero-days and a sophisticated rootkit alongside various open-source tools and diverse infrastructure; activity appears driven by access-brokering (selling initial access to likely state-linked consumers) and includes at least one data exfiltration incident and interest in cryptominer deployment.