.webp)
Published on: November 1, 2025
By: Kooch Cybersecurity & Compliance Team
A recently disclosed critical vulnerability (CVE-2025-61932) in Motex Lanscope Endpoint Manager is being actively exploited by the China-linked advanced persistent threat (APT) group known as Tick.
The flaw, with a CVSS score of 9.3, allows remote code execution with SYSTEM-level privileges on on-premise Lanscope servers — giving attackers complete control over affected corporate endpoints.
The Japan Computer Emergency Response Team (JPCERT/CC) confirmed reports of active abuse in October 2025, warning that attackers have already deployed backdoors on compromised systems.
Tick — also known as Bronze Butler, Daserf, REDBALDKNIGHT, Stalker Panda, and Swirl Typhoon — is a China-based cyber-espionage group active since at least 2006.
The group is known for its long-term focus on East Asian targets, particularly Japanese corporations and government networks, with operations believed to align closely with state-level intelligence objectives.
According to Sophos CTU Director Rafe Pilling, “the exploitation by Bronze Butler appears limited to sectors aligned with their intelligence objectives — but since the flaw is now public, other threat actors may follow.”
Sophos researchers observed Tick exploiting CVE-2025-61932 to deliver a new variant of the Gokcpdoor backdoor, capable of establishing covert proxy connections with remote servers and executing malicious commands.
This 2025 variant replaced its old KCP protocol with multiplexed communication via the ‘smux’ library, improving stealth and reliability.
Two distinct Gokcpdoor types were identified:
After initial access, Tick deployed the Havoc post-exploitation framework, using DLL side-loading techniques to launch a custom loader called OAED Loader that injected malicious payloads into legitimate processes.
Further activity included:
This is not Tick’s first known use of a zero-day in Japan.
In 2017, Sophos-owned Secureworks documented how the same group exploited CVE-2016-7836 in SKYSEA Client View, another Japanese IT asset management platform, to infiltrate corporate systems.
The repeated targeting of endpoint management software highlights a strategic pattern: attackers are compromising the very tools organizations rely on for control, visibility, and compliance.
Sophos Threat Response Unit (TRU) strongly recommends that organizations:
The Lanscope zero-day exploitation is yet another reminder of a hard truth in modern cybersecurity:
Attackers don’t always break in — sometimes, they log in through the very tools you trust most.
Endpoint management platforms, RMMs, and IT asset management solutions have deep system-level privileges, making them high-value targets for espionage groups.
Organizations must treat these tools with the same security rigor as critical infrastructure — segmentation, monitoring, and patch prioritization are non-negotiable.
At Kooch Cybersecurity & Compliance, we see this as a wake-up call for companies handling regulated data under frameworks like KVKK, GDPR, or ISO 27001.
Zero-days targeting administrative tools represent not just a technical risk but a compliance exposure, potentially leading to data breaches and regulatory penalties.
Regular patch audits, third-party vendor risk reviews, and incident response readiness should now be part of every compliance program — not just a best practice.
Cyber espionage thrives where visibility ends.
Proactive defense isn’t about reacting to CVEs — it’s about knowing your environment well enough to spot when something isn’t normal.
Stay patched. Stay monitored. Stay compliant.
This article was based on original reporting by Ravie Lakshmanan at The Hacker News:
“China-Linked Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems,” published October 31, 2025.
TheHackerNews.com
