The recently revealed exploitation of a critical security flaw in Motex Lanscope Endpoint Manager is believed to be the work of a cyber espionage group known as Tick.
This vulnerability is tracked as CVE-2025-61932 (CVSS score: 9.3) and allows remote attackers to execute arbitrary commands with SYSTEM privileges on the on-premises version of the program. In an alert issued this month, JPCERT/CC said it had seen reports of security flaws being actively exploited to drop backdoors into compromised systems.
Tick, also known as Bronze Butler, Daserf, REDBALDKNIGHT, Stalker Panda, Stalker Taurus, and Swirl Typhoon (formerly known as Tellur), is a suspected Chinese cyberespionage operation known for its extensive targeting of East Asia, particularly Japan. It is estimated that it has been active since at least 2006.
This sophisticated campaign observed by Sophos involved exploiting CVE-2025-61932 to deliver a known backdoor called Gokcpdoor, which acts as a backdoor to establish a proxy connection with a remote server and execute malicious commands on a compromised host.
“The 2025 variant removes support for the KCP protocol and adds multiplexing using a third-party library.” [smux] For C2 [command-and-control] communications,” the Sophos Threat Countermeasures Unit (CTU) said in a report Thursday.
The cybersecurity firm announced that it has detected two different types of Gokcpdoor that serve different use cases.
A server type that listens for incoming client connections to enable remote access A client type that initiates a connection to a hard-coded C2 server for the purpose of setting up a covert communication channel
This attack also features the deployment of the Havoc post-exploit framework on some systems, and the infection chain relies on DLL sideloading to launch a DLL loader named OAED Loader to inject the payload.
Other tools utilized in the attack to facilitate lateral movement and data exfiltration include Goddi, an open source Active Directory information dumping tool. Remote Desktop: For remote access through backdoor tunnels. and 7-Zip.
Threat actors have also been found to access cloud services such as io, LimeWire, and Piping Server via web browsers during remote desktop sessions to exfiltrate collected data.
This is not the first time Tick has been observed leveraging zero-day flaws in attack campaigns. In October 2017, Secureworks, a Sophos company, detailed how a group of hackers had exploited a then-unpatched remote code execution vulnerability (CVE-2016-7836) in Japanese IT asset management software SKYSEA Client View to compromise machines and steal data.
“Organizations upgrade vulnerable Lanscope servers depending on their environment,” Sophos TRU said. “Organizations should also review Internet-facing Lanscope servers that have Lanscope client programs (MRs) or detection agents (DAs) installed to determine whether there is a business need to make them publicly available.”
Source link
