Full Report
China-linked cyber-espionage actors tracked as 'Bronze Butler' (Tick) exploited a Motex Lanscope Endpoint Manager vulnerability as a zero-day to deploy an updated version of their Gokcpdoor malware. [...]
Analysis Summary
# Threat Actor: Bronze Butler (Tick)
## Attribution & Identity
* **Attribution:** China-linked cyber-espionage actors.
* **Known Aliases:** Tick.
## Activity Summary
Bronze Butler exploited the Motex Lanscope Endpoint Manager vulnerability (CVE-2025-61932) as a zero-day, observed in mid-2025 prior to the patch release on October 20, 2025. The objective appears to be the theft of confidential information.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploited **CVE-2025-61932**, a request origin verification flaw in Motex Lanscope Endpoint Manager, gaining unauthenticated, arbitrary code execution with **SYSTEM privileges**.
* **Execution/Persistence:** Deployed an updated version of **Gokcpdoor** malware.
* **Evasion:** The final payload (Gokcpdoor) was loaded by **OAED Loader** and injected into legitimate executables using **DLL sideloading**.
* **Command and Control:** Established proxy connections to C2 infrastructure. Used both custom Gokcpdoor C2 or the **Havoc C2 framework**.
* **Defense Evasion/Lateral Movement:** Used **goddi Active Directory dumper** and **Remote Desktop**.
* **Exfiltration:** Used the **7-Zip archiver tool** for data staging/compression.
## Targeting
* **Sectors:** Not explicitly detailed, but involvement in cyber-espionage suggests government, technology, or critical infrastructure.
* **Geography:** Targets of Lanscope Endpoint Manager (Japanese software) are implied, though specific geographical targeting by Bronze Butler is not detailed in this context.
* **Victims:** Organizations utilizing Motex Lanscope Endpoint Manager (versions 9.4.7.2 and earlier).
## Tools & Infrastructure
* **Malware families used:**
* **Gokcpdoor (Updated version):** Features multiplexed C2 communication, dropping support for the KCP protocol. Server variant listens on ports 38000 and 38002; client variant connects to hard-coded addresses.
* **OAED Loader**
* **Exfiltration Infrastructure:** Suspected use of cloud-based storage services, specifically noted access to: `io`, `LimeWire`, and `Piping Server`.
* **Other Tools:** goddi Active Directory dumper, Remote Desktop, 7-Zip.
## Implications
The use of a zero-day vulnerability in widely used endpoint management software (Motex Lanscope) demonstrates a high level of sophistication and targeting against specific organizational dependencies. The evolution of Gokcpdoor (multiplexed communication) and the reliance on DLL sideloading signal ongoing efforts to maintain stealth and persistence within victim networks, particularly within Active Directory environments.
## Mitigations
* **Patching:** Immediately upgrade Motex Lanscope Endpoint Manager clients to a version addressing **CVE-2025-61932**. (Only recommended action, as no workarounds exist).
* **Network Monitoring:** Monitor for connections to suspicious external services associated with exfiltration endpoints (`io`, `LimeWire`, `Piping Server`).
* **Endpoint Detection:** Enhance detection capabilities for process injection techniques utilizing DLL sideloading and identify activity related to OAED Loader.
* **AD Security:** Monitor for the execution of goddi Active Directory dumper and unauthorized Remote Desktop usage.