The attacker chained Ivanti CSA zero-days to execute a base64-encoded Python script, which extracted the admin password from a local PostgreSQL database. Using this access, the attacker created or modified PHP scripts to serve as webshells and sometimes deployed a custom Linux rootkit (sysinitd.ko
) allowing TCP hijacking and remote root access. In some cases, they altered file metadata and modified php.ini
to inject dynamic eval code. ANSSI also observed the threat actor performing lateral movement (e.g., to F5 BIG-IP), credential harvesting, and persistent access establishment via reverse shells (GOREVERSE) and proxy tools (Neo-reGeorg, suo5). The attackers showed both advanced capabilities and commodity tool use, supporting the theory of a multi-actor operation.
The campaign used anonymized infrastructure — including NordVPN, ExpressVPN, Proton VPN, and VPS hosts such as HOSTHATCH, ColoCrossing, and JVPS — and reused IPs across incidents. UNC5174's observed behaviors included self-patching exploited systems to prevent takeover by rival actors, use of Chinese-documented tooling (e.g., Behinder, VShell), and operational activity aligned with China Standard Time (UTC+8). In at least one case, Houken exfiltrated email data from a Ministry of Foreign Affairs mailbox server in South America. Cryptomining using Monero and C3Pool infrastructure was also observed.