Ddos 
A sophisticated campaign executed by the Chinese state-sponsored threat group BRONZE BUTLER (also known as Tick) has been confirmed, utilizing a zero-day vulnerability in the Japanese-developed Motex LANSCOPE Endpoint Manager to breach corporate networks and steal confidential information.
The exploitation of this zero-day, tracked as CVE-2025-61932, is so severe that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) Catalog on October 22.
Sophos Counter Threat Unit (CTU) researchers first observed the BRONZE BUTLER campaign in mid-2025. The initial breach was achieved by exploiting a critical zero-day flaw in a popular Japanese asset management product, a tactic the group has used before.
The zero-day flaw, CVE-2025-61932, allows remote attackers to execute arbitrary commands with SYSTEM privileges. CTU confirmed that the attackers gained initial access by exploiting this vulnerability. Although “the number of vulnerable internet-facing devices is low, attackers could exploit vulnerable devices within compromised networks to conduct privilege escalation and lateral movement,” the report warns.
During the campaign, CTU identified the Gokcpdoor malware as the main backdoor used for command and control (C2). Previously observed in 2023, Gokcpdoor was known for using the KCP protocol to establish proxy connections. The new 2025 variant, however, “discontinued support for the KCP protocol and added multiplexing communication using a third-party library” to enhance stealth and efficiency.
Researchers also discovered two distinct Gokcpdoor variants:
- A server type, which listens for incoming client connections (commonly on ports 38000 or 38002) to enable remote access.
- A client type, which connects to hard-coded C2 servers, forming encrypted backdoor tunnels for command execution.
Interestingly, on some compromised systems, BRONZE BUTLER switched to the Havoc C2 framework instead of Gokcpdoor. Both frameworks were deployed using OAED Loader, a malware component that “injects a payload into a legitimate executable according to its embedded configuration,” complicating detection and analysis.
Beyond custom malware, the group leveraged legitimate tools to blend into normal network activity. CTU observed the use of:
- goddi – an open-source Active Directory dumping tool.
- Remote Desktop – for manual intrusion through backdoor tunnels.
- 7-Zip – for compressing and exfiltrating stolen files.
Additionally, the attackers accessed cloud storage services like io, LimeWire, and Piping Server via web browsers during Remote Desktop sessions — likely to transfer exfiltrated data outside the compromised environment
Donate