Skip to content
Menu
IT-DRAFTS
  • About
  • My Statistics at Microsoft Q&A
  • Privacy policy
IT-DRAFTS
July 1, 2025

Zero-Days and Zero Mercy: Inside Houken’s Multi-Tool Mayhem

hi. imagine waking up, grabbing coffee, checking logs… and seeing a kernel-mode rootkit silently hijacking your cloud edge device.

welcome to Houken — a stealthy but sloppy intrusion set that smashed into French networks in late 2024, chaining zero-days, dropping reverse shells, and playing persistence like a damn violin. not some elite APT black-ops fantasy — just a threat actor who lives on the edge. literally.

and now? it’s real. documented. confirmed. and probably coming for your VPN appliance next.

Microsoft’s Defender Threat Intelligence platform started flagging anomalous TLS beaconing, rare file drops, and unusual .ko driver loads — long before attribution was clear. these signals, correlated with telemetry from Defender for Endpoint and Azure Sentinel, helped trace Houken’s OPSEC gaps.

from zero-day to full control in 3 lines of bash

houken’s op kicked off in september 2024 with a zero-day triple combo targeting Ivanti Cloud Service Appliances. the goal? fast initial access. real fast.

exploited CVEs:

  • CVE-2024-8190
  • CVE-2024-8963
  • CVE-2024-9380

attack flow?

  1. deploy base64-encoded python script to yank passwords from local PostgreSQL
  2. implant PHP webshells — both hand-rolled and Behinder-style
  3. drop a kernel-mode rootkit to hijack TCP and stay forever
  4. clean up and self-patch vuln pages (yeah, that happened)

Microsoft Sentinel hunting queries picked up cross-sensor correlations:

DeviceNetworkEvents
| where InitiatingProcessFileName endswith ".php"
| where RemoteUrl has "tmp" or "/rc/"
| join kind=inner (
    DeviceProcessEvents
    | where FileName endswith ".ko" or ".bin"
) on DeviceId

combined with Defender’s EDR logs, this let threat hunters trace lateral moves into Exchange Server, Fortinet firewalls, and local MSSQL installs.

VPNs, VPSs and shady IPs: attack infrastructure 101

Houken’s ops weren’t surgical. they used shared NordVPN tunnels, misconfigured VPSs, and even dynamic DNS for callback URLs. Microsoft tracked overlap with known UNC5174 infra via Project TI and Azure ML enrichment models.

flags detected:

  • TLS mismatch during handshake
  • reuse of Behinder plugin C2s (from 2022 Silk Typhoon case)
  • anomalous JARM signatures pointing to non-browser implants

infra burned:

  • HostHatch VPS → command & control
  • AWS SG misconfigs → webshell drops
  • CDN hijacking with Fastly and Akamai links → lol

also noted: Microsoft Entra audit logs showed attempts to push OAuth app registration artifacts after initial access. likely to establish silent mail read permissions.

webshells, rootkits, and open-source anarchy

houken’s toolkit is a chaotic fusion of:

  • legit open-source tools like Neo-reGeorg, suo5.aspx, PowerLessBackdoor.ps1
  • webshell implants: rc/help.php, style.php, tools.asp
  • custom kernel-mode rootkit: sysinitd.ko
  • loader service: sysinitd (runs on boot)

this kit:

  • hijacks TCP ports silently
  • hides itself from lsmod and ps
  • allows reverse shells via pseudo-random ports (443, 8443, 10101)
  • logs creds into temp files and rotates every 2h

Microsoft Defender for Linux caught this via custom AuditD rules and new driver trust validation policies deployed in preview builds.

who runs Houken? Microsoft’s bets are on UNC5174

Microsoft Threat Intelligence tagged the rootkit group as Storm-1849, aligning with Google’s UNC5174 profile:

  • reuses OutlookEN.aspx (used by Hafnium)
  • same GOREVERSE variant seen in Storm-0558 incident
  • similarities with Velvet Ant campaigns across APAC

telemetry from Entra ID risk detection showed unusual SAML token misuse post-infection. some tokens forged with partial stolen certs, pointing to access broker ops.

what they’re after: persistence + resale + privilege abuse

Houken’s team isn’t just grabbing files — they’re setting up shop.

  • exfiltrates entire Exchange mailboxes
  • pushes OAuth permission grants via rogue apps
  • uses Azure CLI in live sessions to dump Entra directory roles
  • registers new MFA methods and hides them with -DeviceDisplayName ""

victims span:

  • EU ministries, embassies, national research bodies
  • university AI labs (not kidding)
  • telco backbones and submarine cable node providers

TL;DR: Patch. Monitor. Hunt. Repeat.

Houken/UNC5174/Storm-1849 isn’t fancy. it’s efficient and adaptive.

they chain vulns, drop public tools, clean up traces, and escalate hard. they bypass EDR by abusing gaps in legacy cloud appliances. and they’re fine using old GitHub tools — as long as they work.

👉 deploy Microsoft Defender for Endpoint + Linux audit rules 👉 enforce Conditional Access with device compliance 👉 rotate OAuth consent + disable app registrations if not used 👉 and check your Ivanti, F5, Fortinet boxes — like, today

blog more? yes:
https://www.microsoft.com/en-us/security/blog/2024/12/10/exploiting-ivanti-appliances-how-storm-1849-uses-vpn-edge-zero-days-to-go-deep/

Categories

ActiveDirectory AI AIInfrastructure Azure AzureAI azurevirtualdesktop cloudnetworking CloudSecurity Conditional Access Copilot Cybersecurity DataProtection DataSecurity DevOps DNS enterpriseai Entra entraID Howto hybridcloud IncidentResponse Innovation insider licensing MFA Microsoft Microsoft365 Microsoft AI MicrosoftAzure microsoftcloud MicrosoftOffice Microsoft Product MS Entra MSteams network NewRelease promptinjection Security SoftwareUpdate TechNews updates Windows Windows10 Windows11 zeroTrust

Archives

  • July 2025
  • June 2025
  • May 2025
  • February 2025
  • October 2024
  • September 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
No comments to show.

Recent Comments

Recent Posts

  • Phishing Without a Password: How Attackers Hijacked Microsoft 365’s Direct Send
  • Zero-Days and Zero Mercy: Inside Houken’s Multi-Tool Mayhem
  • Size Me Up: Choosing the Right Azure VM Isn’t Guesswork Anymore %)
  • Sovereign Shift: Microsoft Just Rewrote the Cloud Playbook %)
  • Microsoft Just Blew the Quantum Stack Wide Open with 4D Error-Crushing Code
©2025 IT-DRAFTS | Powered by WordPress and Superb Themes!