Executive Summary

A critical zero-day vulnerability in Motex Lanscope Endpoint Manager (tracked as CVE-2025-61932) has been exploited in the wild by a sophisticated China-linked threat actor known as Tick (also referred to as Bronze Butler, Daserf, REDBALDKNIGHT, Stalker Panda, Stalker Taurus, and Swirl Typhoon). This vulnerability enables remote, unauthenticated attackers to execute arbitrary commands with SYSTEM privileges on vulnerable on-premise installations of Lanscope Endpoint Manager. The exploitation campaign, first observed in Japan, has resulted in the deployment of advanced custom backdoors, post-exploitation frameworks, and evidence of data exfiltration and lateral movement. The attack chain demonstrates a high level of technical sophistication, leveraging custom malware, DLL side-loading, and multi-stage exfiltration techniques. Immediate patching and comprehensive threat hunting are strongly advised.

Threat Actor Profile

The threat actor behind these attacks is the China-based advanced persistent threat group Tick. This group has a long history of targeting Japanese organizations, particularly those in sectors aligned with Chinese intelligence priorities, such as technology, finance, and government. Tick is known for its methodical approach, custom malware development, and persistent cyber espionage operations. The group has previously exploited zero-day vulnerabilities in Japanese IT management software, including SKYSEA Client View (CVE-2016-7836), and is characterized by its use of multi-stage attack chains, custom backdoors, and advanced post-exploitation frameworks. Tick’s operations are typically motivated by intelligence gathering and long-term access to sensitive networks.

Technical Analysis of Malware/TTPs

The exploitation of CVE-2025-61932 begins with remote, unauthenticated command execution on exposed Lanscope Endpoint Manager servers. Attackers send specially crafted packets to the server’s TCP port 443, triggering the vulnerability and gaining SYSTEM-level access. Once initial access is established, the attackers deploy a custom backdoor known as Gokcpdoor (2025 variant). This backdoor is delivered using a loader called OAED Loader, which leverages DLL side-loading to evade detection and establish persistence.

Gokcpdoor operates in two modes: a server type that listens for incoming connections and a client type that initiates outbound connections to hard-coded command-and-control (C2) servers. The 2025 variant of Gokcpdoor utilizes the smux multiplexing library for C2 communications, having discontinued support for the KCP protocol seen in earlier versions. This allows for efficient and covert communication with attacker infrastructure.

For post-exploitation, the attackers deploy the Havoc post-exploitation framework, which provides a modular platform for lateral movement, credential dumping, and further payload delivery. The attackers use goddi, an Active Directory information dumper, to enumerate domain information and facilitate lateral movement. Data is compressed using 7-Zip and exfiltrated via cloud services such as io, LimeWire, and Piping Server, often accessed through browser sessions over RDP tunnels established by the backdoor.

The attackers also create new or unknown services and scheduled tasks to maintain persistence and evade detection. Network traffic analysis reveals outbound connections to unknown IPs and domains over non-standard ports, with the use of smux multiplexing evident in traffic patterns.

Exploitation in the Wild

Active exploitation of CVE-2025-61932 has been confirmed by JPCERT/CC, Sophos CTU, and other security vendors. The campaign has primarily targeted Japanese organizations, with a focus on those running vulnerable on-premise installations of Lanscope Endpoint Manager. Attackers have been observed deploying Gokcpdoor and the Havoc framework, conducting lateral movement, and exfiltrating data via cloud services and RDP tunnels. Public disclosures and technical analyses have been published by JPCERT/CC, Sophos, and Help Net Security, all urging immediate patching and enhanced monitoring.

The exploitation chain is notable for its use of custom malware, advanced post-exploitation frameworks, and multi-stage exfiltration techniques. The attackers demonstrate a deep understanding of Japanese IT environments and a high level of operational security, making detection and remediation challenging.

Victimology and Targeting

The primary victims of this campaign are Japanese organizations, particularly those in sectors of strategic interest to Chinese intelligence, such as finance, technology, and government. The attackers have demonstrated a clear focus on organizations running on-premise installations of Lanscope Endpoint Manager, exploiting internet-exposed servers with the vulnerable client program (MR) or detection agent (DA) installed. The campaign is consistent with Tick’s historical targeting patterns, which prioritize long-term access and intelligence gathering over immediate financial gain.

Evidence suggests that the attackers conduct thorough reconnaissance to identify suitable targets, leveraging custom tools and frameworks to maintain persistence and evade detection. The use of cloud services for data exfiltration and the deployment of advanced post-exploitation frameworks indicate a high level of technical sophistication and a well-resourced operation.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by CVE-2025-61932. Organizations should apply the latest security updates for Motex Lanscope Endpoint Manager, ensuring that all client PCs are updated to one of the fixed versions (9.4.7.3, 9.4.6.3, 9.4.5.4, 9.4.4.6, 9.4.3.8, 9.4.2.6, 9.4.1.5, 9.4.0.5, 9.3.3.9, or 9.3.2.7). Internet-facing Lanscope servers should be audited and restricted, particularly those with the MR or DA components installed.

Security teams should conduct comprehensive threat hunting for indicators of compromise, including the presence of Gokcpdoor, OAED Loader, goddi, and unusual RDP or cloud service activity. Log reviews should focus on SYSTEM-level command execution, the creation of new or unknown services, and scheduled tasks. Network monitoring should be enhanced to detect outbound connections to unknown IPs or domains over non-standard ports, with particular attention to traffic patterns indicative of smux multiplexing.

Organizations are advised to consult the latest advisories from JPCERT/CC and other security vendors for updated indicators of compromise and detection signatures. Incident response plans should be reviewed and updated to ensure rapid containment and remediation in the event of compromise.

References

Help Net Security: Lanscope Endpoint Manager vulnerability exploited in zero-day attacks (CVE-2025-61932), CVE Record - CVE-2025-61932, JPCERT/CC Alert on Lanscope Exploitation, MITRE ATT&CK - Tick (Bronze Butler), The Hacker News: China-Linked Tick Group Exploits Lanscope Zero-Day, LinkedIn: China-linked hackers exploited Lanscope flaw, Facebook: Chinese hackers exploiting CVE-2025-61932

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced threat intelligence and risk management solutions empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure the resilience of critical business operations. For more information about our TPRM platform and how we can help your organization strengthen its cybersecurity posture, please contact us.

We are happy to answer any questions at ops@rescana.com.