China-Linked Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems

Overview of the Threat

A sophisticated cyber espionage campaign attributed to the China-linked group Tick (also known as Bronze Butler, Stalker Panda, etc.) has been actively exploiting a critical zero-day vulnerability in Motex Lanscope Endpoint Manager. The flaw, CVE-2025-61932 (CVSS score: 9.3), allows attackers to execute arbitrary commands with SYSTEM privileges on unpatched on-premise systems. This has enabled the group to deploy backdoors and exfiltrate sensitive data, primarily targeting Japanese organizations aligned with their intelligence objectives.

Key Details of the Exploit

Vulnerability and Impact

CVE-2025-61932: A remote code execution (RCE) vulnerability in Motex Lanscope Endpoint Manager.
- CVSS Score: 9.3 (Critical severity).
- Exploit Mechanism: Allows attackers to execute arbitrary commands with SYSTEM-level privileges.
- Target Systems: On-premise installations of Lanscope (not cloud-based versions).
- Impact: Full system compromise, enabling backdoor deployment and data theft.

Threat Actor Profile: Tick Group

Aliases: Bronze Butler, Daserf, REDBALDKNIGHT, Stalker Panda, Stalker Taurus, Swirl Typhoon (formerly Tellurium).
Activity Timeline: Active since at least 2006, with a focus on East Asia, particularly Japan.
Motivation: Cyber espionage, targeting sectors aligned with intelligence objectives.
Previous Campaigns:
- Exploited CVE-2016-7836 in SKYSEA Client View (2017) for data theft.

Attack Methodology

Initial Access:
- Exploiting CVE-2025-61932 to execute arbitrary code on compromised Lanscope servers.
Backdoor Deployment:
- Gokcpdoor: A backdoor that establishes a proxy connection to a remote C2 server.
  - C2 Communication: Uses smux (a third-party library) for multiplexing, replacing the deprecated KCP protocol.
  - Two Variants:
    - Server-type Gokcpdoor: Listens for incoming connections to enable remote access.
    - Client-type Gokcpdoor: Connects to hard-coded C2 servers for covert communication.
Post-Exploitation Tools:
- Havoc Framework: Used for lateral movement and data exfiltration.
- DLL Side-Loading: Launches OAED Loader to inject payloads.
- Data Exfiltration Tools:
  - goddi: Open-source Active Directory information dumper.
  - Remote Desktop: For backdoor access via tunneling.
  - 7-Zip: For compressing and transferring stolen data.
- Cloud Services Exploited: io, LimeWire, and Piping Server during remote desktop sessions.

Mitigation and Recommendations

Immediate Actions for Organizations

Patch Vulnerable Systems: Upgrade Motex Lanscope Endpoint Manager to the latest version to mitigate CVE-2025-61932.
Audit Exposed Servers: Review internet-facing Lanscope servers with the MR (client program) or DA (detection agent) installed. Ensure they are not unnecessarily exposed to the public internet.
Monitor for Indicators of Compromise (IoCs):
- Look for Gokcpdoor network traffic patterns.
- Detect unusual use of smux or KCP protocol in C2 communications.
- Monitor for DLL side-loading attempts involving OAED Loader.

Long-Term Security Practices

Network Segmentation: Isolate critical systems to limit lateral movement.
Least Privilege Principle: Restrict administrative access to Lanscope servers.
Continuous Monitoring: Deploy threat detection tools to identify anomalous behavior, such as unexpected cloud service access or unusual data transfers.

Historical Context and Sophos Response

Prior Exploits: Tick previously exploited CVE-2016-7836 (SKYSEA Client View) in 2017, highlighting its long-term focus on zero-day vulnerabilities.
Sophos Advisory: Emphasized the importance of patching and reviewing server exposure, noting that the vulnerability is now publicly known, increasing the risk of exploitation by other threat actors.

Reference

https://thehackernews.com/2025/10/china-linked-tick-group-exploits.html

On This Page

China-Linked Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems