Listen to this Post
A sophisticated cyberattack campaign attributed to BRONZE BUTLER, a Chinese state-sponsored threat group also known as Tick, is actively exploiting a severe zero-day vulnerability in Motex’s LANSCOPE Endpoint Manager, targeting Japanese organizations and stealing sensitive information. This breach has raised alarms in both national and international cybersecurity communities due to its advanced techniques and potential for widespread corporate compromise.
Summary of the Incident
Security researchers from the Counter Threat Unit (CTU) confirmed that BRONZE BUTLER exploited CVE-2025-61932, a critical flaw in LANSCOPE Endpoint Manager (On-Premises) versions 9.4.7.1 and earlier. This vulnerability, with a CVSS score of 9.8, allows remote attackers to execute arbitrary code with SYSTEM-level privileges. Exploitation specifically targets the client program (MR) and detection agent (DA) components.
JPCERT/CC reported that exploitation attempts began in April 2025, with evidence of malicious packets received on designated ports across Japanese enterprise networks. Following these reports, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61932 to its Known Exploited Vulnerabilities Catalog on October 22, 2025. While the number of exposed internet-facing devices is limited, compromised endpoints could be used as pivot points for lateral movement and privilege escalation within corporate networks.
BRONZE BUTLER employed Gokcpdoor, a highly advanced backdoor malware, as part of its command-and-control (C2) operations. The 2025 variant of Gokcpdoor removed KCP protocol support and introduced multiplexed communication via third-party libraries, improving stealth and persistence. Analysis revealed two configurations: a server variant listening on ports 38000 and 38002, and a client variant connecting to hardcoded C2 servers. In some cases, the Havoc C2 framework replaced Gokcpdoor, and the OAED Loader was used to inject malicious payloads into legitimate executables.
The group demonstrated operational sophistication by rotating multiple C2 addresses, including 38.54.56.57, 38.54.88.172, 38.54.56.10, 38.60.212.85, and 108.61.161.118, all primarily communicating via TCP port 443. Data exfiltration techniques combined legitimate tools and cloud services. Threat actors leveraged goddi for Active Directory enumeration, used legitimate remote desktop applications over backdoor tunnels, and compressed data with 7-Zip for extraction. Cloud platforms such as file.io, LimeWire, and Piping Server were exploited for remote data transfers.
This campaign continues BRONZE BUTLER’s pattern of targeting Japanese industries, echoing their previous exploits of SKYSEA Client View zero-days in 2016. Organizations using internet-facing LANSCOPE installations are advised to review public exposure, deploy all security updates, and monitor connections to identified C2 infrastructure.
Indicators of Compromise (IOCs):
Indicator Type Context
932c91020b74aaa7ffc687e21da0119c MD5 Gokcpdoor variant (oci.dll)
be75458b489468e0acdea6ebbb424bc898b3db29 SHA1 Gokcpdoor variant (oci.dll)
3c96c1a9b3751339390be9d7a5c3694df46212fb97ebddc074547c2338a4c7ba SHA256 Gokcpdoor variant (oci.dll)
4946b0de3b705878c514e2eead096e1e MD5 Havoc sample (MaxxAudioMeters64LOC.dll)
What Undercode Say:
The BRONZE BUTLER campaign highlights the growing sophistication of state-sponsored cyber operations. This attack demonstrates a multi-layered approach combining zero-day exploitation, advanced malware, and operational security to evade detection. By exploiting CVE-2025-61932, attackers gain SYSTEM privileges, which allows near-total control over the compromised host. From there, lateral movement within the network becomes a significant risk, potentially exposing corporate secrets and intellectual property.
The use of Gokcpdoor and Havoc frameworks indicates a high level of technical resource allocation, while the rotation of multiple C2 servers demonstrates awareness of defense mechanisms like intrusion detection and anomaly monitoring. The shift to multiplexed communication via third-party libraries enhances stealth, complicating forensic investigations and reducing the likelihood of automated detection.
Furthermore, the campaign’s data exfiltration strategy combines legitimate administrative tools and cloud platforms, making detection challenging. By leveraging tools such as goddi and remote desktop applications, attackers mimic normal administrative behavior while stealthily extracting sensitive information. Compression and cloud-based transfer techniques further minimize footprints, allowing data exfiltration without raising immediate alarms.
For Japanese organizations, this incident serves as a warning that traditional perimeter defenses are insufficient against well-funded threat actors. Immediate patching of vulnerable systems, stringent access controls, and continuous monitoring of network traffic, especially to known C2 addresses, are critical. Businesses should also reassess their exposure of internet-facing applications, as even limited endpoints can become high-value attack vectors.
The recurring targeting of Japanese industries by BRONZE BUTLER suggests a strategic intent beyond financial gain—possibly state-aligned intelligence collection. This pattern indicates that threat actors have a long-term reconnaissance strategy and the capability to execute multi-stage, persistent attacks. Understanding these motivations is essential for developing proactive defense strategies, including anomaly-based detection, threat hunting, and incident response exercises.
In essence, BRONZE BUTLER’s campaign underscores a paradigm shift in cybersecurity: attacks are increasingly multi-faceted, stealthy, and strategically targeted. Organizations must adopt a holistic approach combining threat intelligence, proactive patching, and behavioral analytics to mitigate these risks.
Fact Checker Results:
✅ BRONZE BUTLER is a state-sponsored Chinese threat group.
✅ CVE-2025-61932 affects LANSCOPE Endpoint Manager versions 9.4.7.1 and earlier.
❌ Public reports of widespread global compromise beyond Japan are not confirmed.
Prediction:
📊 BRONZE BUTLER is likely to expand targeting to additional critical Japanese sectors over the next 6–12 months.
📊 Expect increased adoption of sophisticated C2 techniques and cloud-based exfiltration in state-sponsored campaigns.
📊 Companies with exposed endpoints may face persistent surveillance, necessitating ongoing threat intelligence and patch management efforts.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
