LANSCOPE Endpoint Manager Zero Day Vulnerability Exploited by Threat Actors to Steal Data

A sophisticated campaign attributed to BRONZE BUTLER, a Chinese state-sponsored threat group also known as Tick, has been actively exploiting a critical zero-day vulnerability in Motex LANSCOPE Endpoint Manager to compromise Japanese organizations and steal sensitive information.

Counter Threat Unit researchers confirmed that attackers gained initial access by exploiting CVE-2025-61932, a critical flaw with a CVSS 3.0 score of 9.8 that allows remote attackers to execute arbitrary code with SYSTEM privileges.​

The vulnerability affects LANSCOPE Endpoint Manager (On-Premises) version 9.4.7.1 and earlier, explicitly targeting the client program (MR) and detection agent (DA) components.

JPCERT/CC confirmed that exploitation attempts began in April 2025, with malicious packet reception observed on specific ports across Japanese customer environments. The U.S.

Cybersecurity and Infrastructure Security Agency (CISA) formally added CVE-2025-61932 to its Known Exploited Vulnerabilities Catalog on October 22, 2025, following JPCERT/CC’s notification on the same date.

While the number of vulnerable internet-facing devices remains relatively low, researchers indicate that compromised systems could serve as pivot points for privilege escalation and lateral movement within corporate networks.​

Attack Infrastructure and Command-and-Control Methods

CTU researchers identified that BRONZE BUTLER deployed Gokcpdoor, a sophisticated backdoor malware used as a command-and-control infrastructure.

The 2025 variant evolved significantly from previous iterations, discontinuing support for the KCP protocol and implementing multiplexed communication via a third-party library, thereby enhancing stealth capabilities.

Analysis revealed two distinct Gokcpdoor configurations: a server variant that listens for incoming client connections on ports 38000 and 38002, and a client variant that initiates connections to hardcoded C2 servers to establish persistent backdoor access.

On some compromised systems, threat actors deployed the Havoc C2 framework instead of Gokcpdoor, with select samples utilizing OAED Loader malware to obscure execution flows by injecting payloads into legitimate executables.

The campaign demonstrated sophisticated operational security by rotating between multiple command-and-control infrastructure addresses: 38.54.56.57 and 38.54.88.172, both communicating via TCP port 443, while additional command sources operated from 38.54.56.10, 38.60.212.85, and 108.61.161.118.

Data Exfiltration Techniques

BRONZE BUTLER leveraged both legitimate tools and cloud storage services to exfiltrate compromised data.

Researchers confirmed that threat actors used goddi (Go dump domain info) for Active Directory enumeration, legitimate remote desktop applications via backdoor tunnels, and 7-Zip for compression and exfiltration.

The actors also accessed cloud storage platforms, including file.io, LimeWire, and Piping Server, via web browsers during remote desktop sessions, demonstrating intent to extract confidential information from victim organizations.

Organizations operating internet-facing LANSCOPE installations should immediately review business justification for public exposure, apply available security updates to all client systems, and monitor for connections to the identified C2 infrastructure.

This campaign exemplifies BRONZE BUTLER’s persistent targeting of Japanese industries, following their exploitation of SKYSEA Client View zero-days in 2016.

IOCs

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates