Full Report
The threat group targeted a LANSCOPE zero-day vulnerability (CVE-2025-61932)
Analysis Summary
# Threat Actor: BRONZE BUTLER
## Attribution & Identity
**Attribution:** Chinese state-sponsored threat group.
**Aliases:** Tick.
**Known Associations:** Actively tracked since 2010.
## Activity Summary
In mid-2025, BRONZE BUTLER conducted a sophisticated campaign targeting organizations to steal confidential information. The initial access vector in this campaign was the exploitation of a zero-day vulnerability, **CVE-2025-61932**, in Motex LANSCOPE Endpoint Manager. This exploitation allows for remote execution of arbitrary commands with SYSTEM privileges. Historically, the group also exploited a zero-day vulnerability in the Japanese asset management product SKYSEA Client View in 2016.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploited zero-day vulnerability **CVE-2025-61932** (LANSCOPE Endpoint Manager) to gain remote code execution with SYSTEM privileges.
- **C2/Backdoor:** Deployed **Gokcpdoor** malware, utilizing a 2025 variant that included multiplexing communication via a third-party library (smux) and discontinued KCP protocol support. Used both server (listening on ports like 38000 or 38002) and client versions of Gokcpdoor.
- **C2/Backdoor Alternative:** Implemented the **Havoc** C2 framework on some compromised hosts.
- **Execution Evasion:** Employed **OAED Loader** malware across both Gokcpdoor and Havoc payloads to inject the payload into a legitimate executable, complicating execution flow analysis.
- **Lateral Movement/Discovery:** Used **goddi** (Go dump domain info) for Active Directory information dumping.
- **Remote Access:** Used legitimate **Remote Desktop** tools accessed through a backdoor tunnel.
- **Data Exfiltration:** Compressed data using **7-Zip** prior to exfiltration.
## Targeting
- **Sectors:** Asset management software users, specific focus on Japanese entities (implied by the targeting of Japanese software vendors/users).
- **Geography:** Japan (primary focus of the observed campaign and historical activity).
- **Victims:** Organizations using LANSCOPE Endpoint Manager software. (Specific organization names not provided in the text.)
## Tools & Infrastructure
- **Malware families used:** Gokcpdoor, OAED Loader.
- **C2 Frameworks:** Havoc C2 framework.
- **Infrastructure (C2, domains, IPs):** Specific C2 server addresses and domains were hard-coded in the client-type Gokcpdoor samples. Specific ports used for the server-type Gokcpdoor include 38000 and 38002.
## Implications
BRONZE BUTLER remains a highly capable threat actor utilizing zero-day exploits against critical asset management software, demonstrating an ongoing focus on specific national targets (Japan). Their use of modern C2 techniques (like smux multiplexing) and established living-off-the-land tactics (goddi, 7-Zip) shows ongoing operational maturity aimed at deep compromise and espionage.
## Mitigations
- Patching/Mitigation for **CVE-2025-61932** immediately (as it is listed on CISA's KEV catalog).
- Monitor for the use of **Gokcpdoor** and **Havoc** C2 activity, particularly communication over non-standard application protocols or tunnels.
- Implement enhanced monitoring for process injection techniques commonly associated with loaders like **OAED Loader**.
- Restrict or monitor outbound connections initiated by asset management software agents.
- Review network traffic for evidence of data staging using **7-Zip**.