Zero-Days and Zero Mercy: Inside Houken’s Multi-Tool Mayhem

hi. imagine waking up, grabbing coffee, checking logs… and seeing a kernel-mode rootkit silently hijacking your cloud edge device.

welcome to Houken — a stealthy but sloppy intrusion set that smashed into French networks in late 2024, chaining zero-days, dropping reverse shells, and playing persistence like a damn violin. not some elite APT black-ops fantasy — just a threat actor who lives on the edge. literally.

and now? it’s real. documented. confirmed. and probably coming for your VPN appliance next.

Microsoft’s Defender Threat Intelligence platform started flagging anomalous TLS beaconing, rare file drops, and unusual .ko driver loads — long before attribution was clear. these signals, correlated with telemetry from Defender for Endpoint and Azure Sentinel, helped trace Houken’s OPSEC gaps.

from zero-day to full control in 3 lines of bash

houken’s op kicked off in september 2024 with a zero-day triple combo targeting Ivanti Cloud Service Appliances. the goal? fast initial access. real fast.

exploited CVEs:

attack flow?

  1. deploy base64-encoded python script to yank passwords from local PostgreSQL
  2. implant PHP webshells — both hand-rolled and Behinder-style
  3. drop a kernel-mode rootkit to hijack TCP and stay forever
  4. clean up and self-patch vuln pages (yeah, that happened)

Microsoft Sentinel hunting queries picked up cross-sensor correlations:

DeviceNetworkEvents
| where InitiatingProcessFileName endswith ".php"
| where RemoteUrl has "tmp" or "/rc/"
| join kind=inner (
    DeviceProcessEvents
    | where FileName endswith ".ko" or ".bin"
) on DeviceId

combined with Defender’s EDR logs, this let threat hunters trace lateral moves into Exchange Server, Fortinet firewalls, and local MSSQL installs.

VPNs, VPSs and shady IPs: attack infrastructure 101

Houken’s ops weren’t surgical. they used shared NordVPN tunnels, misconfigured VPSs, and even dynamic DNS for callback URLs. Microsoft tracked overlap with known UNC5174 infra via Project TI and Azure ML enrichment models.

flags detected:

  • TLS mismatch during handshake
  • reuse of Behinder plugin C2s (from 2022 Silk Typhoon case)
  • anomalous JARM signatures pointing to non-browser implants

infra burned:

  • HostHatch VPS → command & control
  • AWS SG misconfigs → webshell drops
  • CDN hijacking with Fastly and Akamai links → lol

also noted: Microsoft Entra audit logs showed attempts to push OAuth app registration artifacts after initial access. likely to establish silent mail read permissions.

webshells, rootkits, and open-source anarchy

houken’s toolkit is a chaotic fusion of:

  • legit open-source tools like Neo-reGeorg, suo5.aspx, PowerLessBackdoor.ps1
  • webshell implants: rc/help.php, style.php, tools.asp
  • custom kernel-mode rootkit: sysinitd.ko
  • loader service: sysinitd (runs on boot)

this kit:

  • hijacks TCP ports silently
  • hides itself from lsmod and ps
  • allows reverse shells via pseudo-random ports (443, 8443, 10101)
  • logs creds into temp files and rotates every 2h

Microsoft Defender for Linux caught this via custom AuditD rules and new driver trust validation policies deployed in preview builds.

who runs Houken? Microsoft’s bets are on UNC5174

Microsoft Threat Intelligence tagged the rootkit group as Storm-1849, aligning with Google’s UNC5174 profile:

  • reuses OutlookEN.aspx (used by Hafnium)
  • same GOREVERSE variant seen in Storm-0558 incident
  • similarities with Velvet Ant campaigns across APAC

telemetry from Entra ID risk detection showed unusual SAML token misuse post-infection. some tokens forged with partial stolen certs, pointing to access broker ops.

what they’re after: persistence + resale + privilege abuse

Houken’s team isn’t just grabbing files — they’re setting up shop.

  • exfiltrates entire Exchange mailboxes
  • pushes OAuth permission grants via rogue apps
  • uses Azure CLI in live sessions to dump Entra directory roles
  • registers new MFA methods and hides them with -DeviceDisplayName ""

victims span:

  • EU ministries, embassies, national research bodies
  • university AI labs (not kidding)
  • telco backbones and submarine cable node providers

TL;DR: Patch. Monitor. Hunt. Repeat.

Houken/UNC5174/Storm-1849 isn’t fancy. it’s efficient and adaptive.

they chain vulns, drop public tools, clean up traces, and escalate hard. they bypass EDR by abusing gaps in legacy cloud appliances. and they’re fine using old GitHub tools — as long as they work.

👉 deploy Microsoft Defender for Endpoint + Linux audit rules 👉 enforce Conditional Access with device compliance 👉 rotate OAuth consent + disable app registrations if not used 👉 and check your Ivanti, F5, Fortinet boxes — like, today

blog more? yes:
https://www.microsoft.com/en-us/security/blog/2024/12/10/exploiting-ivanti-appliances-how-storm-1849-uses-vpn-edge-zero-days-to-go-deep/