In mid-2025, researchers discovered a sophisticated campaign orchestrated by the Chinese state-sponsored threat group BRONZE BUTLER (also known as Tick) targeting organizations relying on Motex LANSCOPE Endpoint Manager.
The attackers exploited a previously unknown zero-day vulnerability tracked as CVE-2025-61932, which grants remote adversaries the ability to execute arbitrary commands with SYSTEM privileges.
This marks the group’s continued targeting of Japanese asset management software, following their successful exploitation of SKYSEA Client View in 2016.
JPCERT/CC publicly disclosed the vulnerability on October 22, 2025, prompting urgent action from organizations worldwide.
The campaign reveals a meticulously orchestrated attack chain combining multiple malware families and legitimate tools to establish persistence and exfiltrate sensitive information.
Sophos researchers identified that the attackers leveraged the zero-day to achieve initial access on vulnerable internet-facing LANSCOPE servers, then pivoted to lateral movement within compromised networks.
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-61932 to its Known Exploited Vulnerabilities Catalog the same day the advisory was published, confirming active exploitation in the wild.
%20and%202025%20(right)%20Gokcpdoor%20samples%20(Source%20-%20Sophos).webp "Threat Actors Exploit LANSCOPE Endpoint Manager Zero-Day Vulnerability to Steal Confidential Data 3")
Sophos analysts identified the Gokcpdoor malware as the primary command and control mechanism employed throughout this operation.
The 2025 variant represents a significant evolution from earlier versions, discontinuing support for the KCP protocol while implementing advanced multiplexing communication capabilities using third-party libraries for command-and-control communications.
Advanced Persistence Through Malware Multiplexing
Sophos researchers identified two distinct Gokcpdoor variants tailored for specific operational purposes.
The server variant maintains open listening ports specified within its embedded configuration, typically using ports 38000 or 38002, to establish incoming remote access channels.
.webp "Threat Actors Exploit LANSCOPE Endpoint Manager Zero-Day Vulnerability to Steal Confidential Data 4")
The client variant, conversely, initiates connections to hard-coded command and control servers, establishing secure communication tunnels that function as persistent backdoors.
To complicate forensic analysis and evade detection, the threat actors deployed the OAED Loader malware, which injects payloads into legitimate executables according to embedded configurations.
On certain compromised hosts, the attackers substituted Gokcpdoor entirely with the Havoc command and control framework, demonstrating operational flexibility.
For data exfiltration and lateral movement, BRONZE BUTLER abused legitimate tools including goddi (Go dump domain info), remote desktop applications, and 7-Zip archiving utility.
The attackers further leveraged cloud storage services including io and LimeWire accessed through web browsers during remote sessions, successfully stealing confidential organizational data.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
