China-Linked Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems

A sophisticated cyber espionage campaign has been uncovered targeting Japanese organizations through a critical vulnerability in Motex Lanscope Endpoint Manager. The flaw, tracked as CVE-2025-61932 with a CVSS score of 9.3, allows remote attackers to execute arbitrary commands with SYSTEM privileges on affected on-premise servers. The campaign has been attributed to the Tick Group, also known as Bronze Butler, Daserf, and REDBALDKNIGHT, a long-running Chinese-linked threat actor with a history of targeting East Asia.

Threat Summary Table

Threat Actor	Tick Group (China-linked, aka Bronze Butler, Daserf)
Vulnerability	CVE-2025-61932 (Lanscope Endpoint Manager, RCE – CVSS 9.3)
Initial Access	Exploitation of unpatched Lanscope servers exposed to the internet
Primary Payload	Gokcpdoor backdoor (2025 variant)
Post-Exploitation	Havoc framework, OAED Loader, goddi, Remote Desktop, 7-Zip
Targeted Region	Japan (corporate and government systems)
Impact	Remote access, data theft, lateral movement, persistent compromise

Overview of the Exploitation Campaign

In late October 2025, Sophos researchers and JPCERT/CC confirmed that the Lanscope Endpoint Manager vulnerability (CVE-2025-61932) was being exploited in the wild. The flaw, which affects on-premise Lanscope deployments, enables attackers to gain SYSTEM-level privileges and execute arbitrary commands remotely.

The Tick Group leveraged this zero-day to deploy a new version of its backdoor known as Gokcpdoor. Once inside a network, the malware established covert communication channels with command and control (C2) servers, allowing attackers to issue commands, move laterally, and exfiltrate sensitive data. Evidence suggests that the attacks were highly targeted against Japanese sectors of strategic importance, including government, technology, and defense-related companies.

How the Lanscope Vulnerability Works

The vulnerability resides in how Lanscope Endpoint Manager handles authentication and remote commands. Attackers can send crafted network requests to execute arbitrary code with elevated privileges. Because Lanscope is often deployed with administrative access across enterprise environments, successful exploitation effectively hands over full control of the affected systems.

The issue was first reported by JPCERT/CC in October 2025, who confirmed that threat actors were already using the bug in live attacks before patches were available. Motex has since issued mitigations, but unpatched systems remain at risk. The bug allows for command execution with SYSTEM-level privileges, making it one of the most severe vulnerabilities in Lanscope’s history.

Tick Group’s Attack Chain

The Tick Group’s intrusion process follows a multi-stage sequence combining remote exploitation, side-loading, and persistence mechanisms. The campaign typically unfolds as follows:

Stage 1: The attacker exploits CVE-2025-61932 remotely to gain execution on a Lanscope server.
Stage 2: A malicious DLL loader named OAED Loader is dropped into Lanscope’s program directory. The legitimate process side-loads this DLL during runtime.
Stage 3: The loader decrypts and injects the Gokcpdoor payload directly into memory, bypassing signature and file-based defenses.
Stage 4: Once active, Gokcpdoor establishes communication with the attacker’s remote servers using HTTPS and a new multiplexed transport protocol based on the smux library.

After installation, Tick Group operators deploy post-exploitation frameworks like Havoc to gain full interactive control of infected systems. Tools such as goddi (for Active Directory enumeration), 7-Zip (for file compression), and built-in Remote Desktop access are then used to move laterally and exfiltrate data to external services including Piping Server and LimeWire.

Gokcpdoor Backdoor Details

The Gokcpdoor malware used in this campaign is a sophisticated modular backdoor capable of running in two distinct modes:

Server variant: Waits for inbound connections from the attacker, acting as a remote shell host for manual control.
Client variant: Initiates outbound connections to hardcoded C2 servers, maintaining persistence and evading firewalls.

Unlike earlier versions, the 2025 Gokcpdoor release dropped support for the KCP protocol and now uses smux, a third-party Go library designed for multiplexed network communication. This change enhances stealth and makes detection through network analysis more difficult. The malware can execute arbitrary commands, upload or download files, and proxy communications for other implants.

Tick Group’s Historical Activity

The Tick Group has operated since at least 2006 and is considered one of the most persistent espionage units linked to China. It has previously targeted Japanese aerospace, defense, and government institutions, often through long-term intrusions involving custom malware families like Daserf and xxmm. The group was previously caught exploiting another Japanese software zero-day, CVE-2016-7836 in SKYSEA Client View, in a nearly identical pattern.

Its tradecraft is defined by the use of legitimate software in side-loading attacks, preference for Go and C-based implants, and methodical targeting of entities aligned with Japan’s industrial and defense sectors. The reuse of these techniques in the Lanscope campaign highlights its continued focus on Japanese critical infrastructure.

Indicators of Compromise

Indicator	Type	Description
CVE-2025-61932	Vulnerability	Lanscope Endpoint Manager Remote Code Execution flaw
OAEDLoader.dll	File	Malicious loader used for DLL side-loading
Gokcpdoor	Malware	Primary backdoor used in the campaign
goddi.exe	Tool	Active Directory credential dumping utility
LimeWire, io, Piping Server	Cloud Services	Used for exfiltration of stolen data

Mitigation and Defensive Guidance

Patch immediately: Apply the latest security update from Motex addressing CVE-2025-61932. Systems running outdated on-prem versions should be upgraded or isolated from public access.
Restrict access: Block direct internet exposure of Lanscope management ports and enforce access through VPN or internal networks only.
Monitor side-loading activity: Track DLL loading behavior from Lanscope directories. Legitimate Lanscope processes should not be loading unknown DLLs like OAEDLoader.dll.
Implement EDR rules: Detect in-memory injection, process hollowing, and reflective loading events related to Lanscope executables.
Network monitoring: Watch for outbound connections using multiplexed smux-based traffic or connections to suspicious cloud services for data transfer.
Credential hygiene: Rotate privileged credentials and audit access logs if compromise is suspected.
Train users: Provide ongoing cybersecurity training to reduce the likelihood of secondary spear-phishing attempts targeting staff.

YARA Detection Rule Example

rule Tick_Lanscope_Gokcpdoor_2025 {
    meta:
        author = "Botcrawl Threat Research"
        description = "Detects Gokcpdoor or OAED Loader artifacts from Lanscope CVE-2025-61932 exploitation"
        date = "2025-10-31"
    strings:
        $s1 = "OAEDLoader" ascii
        $s2 = "Gokcpdoor" ascii
        $s3 = "smux" ascii
    condition:
        filesize < 1000KB and any of ($s*)
}

The Tick Group’s continued exploitation of Japanese enterprise software underscores the growing threat of state-sponsored attacks targeting domestic management tools. As with previous campaigns, the use of zero-day exploits, legitimate binaries, and minimal forensic footprint shows a deliberate effort to remain persistent and undetected within sensitive networks. Organizations should ensure rapid patching, segmentation of management systems, and continuous monitoring for stealthy side-loading behaviors.