A sophisticated cyber espionage group known as Tick, which also goes by aliases like Bronze Butler and Swirl Typhoon, has been observed actively exploiting a recently disclosed, critical security flaw in the Motex Lanscope Endpoint Manager. This vulnerability, tracked as CVE-2025-61932 and boasting a CVSS score of 9.3, allows remote attackers to execute arbitrary commands with SYSTEM privileges on on-premise versions of the software. An alert from JPCERT/CC confirmed reports of this active abuse, stating that the security defect is being used to deploy a backdoor onto compromised systems. This group is widely assessed to be a Chinese state-sponsored actor that has been active since at least 2006, with a pronounced and consistent focus on targets in East Asia, particularly Japan.
The campaign, which was monitored by Sophos, leveraged the exploitation of CVE-2025-61932 to install a known piece of malware called Gokcpdoor. This backdoor is designed to establish a proxy connection with a remote server, functioning as a persistent access point for executing malicious commands on the infected host. Researchers noted a 2025 variant of Gokcpdoor that removed support for the KCP protocol and instead implemented multiplexing communication via a third-party library, smux, for its command-and-control (C2) communication. Sophos detected two distinct versions of the malware serving different roles: a server type to listen for remote access connections, and a client type that initiates connections to hard-coded C2 servers to create a covert channel.
In addition to the custom backdoor, the attack chain is characterized by the deployment of the Havoc post-exploitation framework on specific systems. The infection process relies heavily on DLL side-loading, where a component called OAED Loader is used to inject the subsequent malicious payloads. The threat actors utilized several other common tools to facilitate their objectives, including goddi for dumping Active Directory information, Remote Desktop for remote access through their established backdoor tunnels, and the archival utility 7-Zip. Furthermore, the group was observed accessing public cloud services like io, LimeWire, and Piping Server via the web browser during their remote desktop sessions, indicating a method they use to exfiltrate the stolen data.
A director of threat intelligence at Sophos CTU commented on the incident, confirming their awareness of the highly targeted activity in Japan. They expressed a belief that the initial exploitation by Bronze Butler was limited to sectors that align with their intelligence objectives. However, they cautioned that because the vulnerability has now been publicly disclosed, a broader range of other threat actors are likely to attempt to exploit the flaw.
This is not the first instance where the Tick cyber espionage group has been caught leveraging a zero-day vulnerability in their operations. In a comparable incident from October 2017, the group was documented exploiting a previously unpatched remote code execution vulnerability (CVE-2016-7836) in SKYSEA Client View, another Japanese IT asset management software, to compromise machines and steal sensitive data. Given the ongoing nature of these attacks, Sophos strongly recommends that organizations immediately upgrade their vulnerable Lanscope servers and review any internet-facing Lanscope servers with the client or agent program installed to determine if public exposure is strictly necessary for business operations.
Reference:
