China-Linked Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems
A sophisticated cyber espionage campaign has been attributed to the China-linked advanced persistent threat (APT) group known as Tick, also referred to as Bronze Butler, Daserf, REDBALDKNIGHT, Stalker Panda, Stalker Taurus, and Swirl Typhoon (formerly Tellurium). This group has been active since at least 2006, primarily targeting East Asian countries, with a particular focus on Japan.
The recent campaign involves the exploitation of a critical security vulnerability in Motex Lanscope Endpoint Manager, identified as CVE-2025-61932. This flaw, carrying a CVSS score of 9.3, enables remote attackers to execute arbitrary commands with SYSTEM privileges on on-premise versions of the software. The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed active exploitation of this vulnerability, leading to the deployment of a backdoor on compromised systems.
Sophos, a cybersecurity firm, observed that Tick leveraged CVE-2025-61932 to deliver a backdoor known as Gokcpdoor. This malware establishes a proxy connection with a remote server, allowing the execution of malicious commands on the infected host. Notably, the 2025 variant of Gokcpdoor has discontinued support for the KCP protocol and introduced multiplexing communication using the smux library for its command-and-control (C2) communication.
The attack methodology includes the deployment of two distinct types of Gokcpdoor:
– Server Type: Listens for incoming client connections to facilitate remote access.
– Client Type: Initiates connections to hard-coded C2 servers to establish covert communication channels.
Additionally, the campaign is characterized by the use of the Havoc post-exploitation framework on select systems. The infection chains employ DLL side-loading to launch a DLL loader named OAED Loader, which injects the payloads.
To facilitate lateral movement and data exfiltration, Tick utilizes several tools, including:
– goddi: An open-source Active Directory information dumping tool.
– Remote Desktop: Used for remote access through a backdoor tunnel.
– 7-Zip: Employed for compressing and transferring data.
The threat actors have also been observed accessing cloud services such as io, LimeWire, and Piping Server via web browsers during remote desktop sessions to exfiltrate harvested data.
This is not the first instance of Tick exploiting zero-day vulnerabilities in its campaigns. In October 2017, Secureworks detailed the group’s exploitation of an unpatched remote code execution vulnerability (CVE-2016-7836) in SKYSEA Client View, a Japanese IT asset management software, to compromise machines and steal data.
Organizations are advised to upgrade vulnerable Lanscope servers promptly and review internet-facing Lanscope servers that have the Lanscope client program (MR) or detection agent (DA) installed to determine if there is a business need for them to be publicly exposed.
