Full Report
The exploitation of a recently disclosed critical security flaw in Motex Lanscope Endpoint Manager has been attributed to a cyber espionage group known as Tick. The vulnerability, tracked as CVE-2025-61932 (CVSS score: 9.3), allows remote attackers to execute arbitrary commands with SYSTEM privileges on on-premise versions of the program. JPCERT/CC, in an alert issued this month, said that it
Analysis Summary
# Threat Actor: Tick
## Attribution & Identity
**Identification:** Cyber espionage group.
**Known Aliases:** Bronze Butler, Daserf, REDBALDKNIGHT, Stalker Panda, Stalker Taurus, Swirl Typhoon (formerly Tellurium).
**Known Associations:** Suspected Chinese cyber espionage actor.
**Activity Span:** Active since at least 2006.
## Activity Summary
Tick is actively exploiting a recently disclosed critical zero-day vulnerability (CVE-2025-61932, CVSS 9.3) in Motex Lanscope Endpoint Manager. This exploitation allows remote attackers to execute arbitrary commands with SYSTEM privileges. JPCERT/CC confirmed active abuse involving dropping a backdoor on compromised systems. This recent campaign builds on historical patterns, such as the 2017 exploitation of CVE-2016-7836 in SKYSEA Client View (another Japanese IT asset management software).
## Tactics, Techniques & Procedures
- **Initial Access/Exploitation:** Exploiting CVE-2025-61932 in Motex Lanscope Endpoint Manager for remote command execution (SYSTEM privileges).
- **Execution:** Deploying a known backdoor, Gokcpdoor, to establish a persistent presence.
- **Defense Evasion/Post-Exploitation:** Utilizing the Havoc post-exploitation framework on select systems.
- **Defense Evasion:** Employing DLL side-loading via an `OAED Loader` to inject payloads.
- **Lateral Movement/Exfiltration:** Using tools like `goddi` (Active Directory information dumping) and Remote Desktop for remote access/tunneling.
- **Data Exfiltration:** Accessing and exfiltrating data via web browsers to cloud services such as io, LimeWire, and Piping Server.
- **C2 Communication:** 2025 variant of their backdoor uses multiplexing communication via the third-party library [[smux]] instead of the KCP protocol.
## Targeting
- **Sectors:** Corporate systems, particularly those utilizing Japanese IT asset management software (Motex Lanscope, SKYSEA Client View).
- **Geography:** Extensive targeting of East Asia, specifically Japan.
- **Victims:** Unspecified organizations using vulnerable on-premise versions of Motex Lanscope Endpoint Manager.
## Tools & Infrastructure
- **Malware/Payloads:** Gokcpdoor (server and client variants observed), Havoc post-exploitation framework, OAED Loader.
- **Utility Tools:** goddi (for AD dumping), 7-Zip.
- **Infrastructure (C2):** Remote servers established via the backdoor communication channel; C2 communication utilizes the [[smux]] library for multiplexing.
- **Exfiltration Destinations:** Cloud services including `io`, `LimeWire`, and `Piping Server`.
## Implications
Tick remains a highly sophisticated cyber espionage actor capable of leveraging zero-day vulnerabilities in widely used enterprise software to gain deep access to corporate networks for long-term espionage and data theft. Their focus on Japanese software suggests nation-state sponsored objectives targeting regional assets.
## Mitigations
- Immediately upgrade or patch all vulnerable Motex Lanscope Endpoint Manager instances (addressing CVE-2025-61932).
- Organizations should review internet-facing Motex Lanscope servers that have the client program (MR) or detection agent (DA) installed to determine if public exposure is necessary.
- Monitor for indicators associated with Gokcpdoor, Havoc framework activity, and the use of DLL side-loading techniques.
- Review logs for evidence of `goddi` usage or suspicious outbound connections to known personal cloud storage/file-sharing services from internal systems.