A sophisticated cyber espionage group, identified as **Tick**, is actively exploiting a critical security flaw in Motex Lanscope Endpoint Manager. This vulnerability, tracked as CVE-2025-61932, allows attackers to execute arbitrary commands with SYSTEM privileges on affected on-premise installations. The exploitation has been confirmed by researchers, who have observed the group dropping a backdoor on compromised systems as part of targeted campaigns.
The disclosure of this critical flaw, rated with a CVSS score of 9.3, has raised concerns within the cybersecurity community. JPCERT/CC issued an alert this month, confirming reports of active abuse. The group believed to be behind these attacks, Tick, is also known by various aliases including Bronze Butler, and has a history of targeting East Asia, particularly Japan, since at least 2006.
Tick Group’s Exploitation of Lanscope Endpoint Manager Flaw
Sophos researchers have detailed the advanced tactics employed by the Tick group in exploiting CVE-2025-61932. The campaign’s primary objective appears to be the deployment of a backdoor known as Gokcpdoor. This malware facilitates a proxy connection with a remote server, enabling attackers to execute malicious commands covertly on compromised hosts. The 2025 variant of Gokcpdoor reportedly dropped support for the KCP protocol, opting instead for multiplexing communication via a third-party library, smux, for its command-and-control (C2) channels.
Sophos observed two distinct configurations of Gokcpdoor, each serving a specific purpose within the attack chain. One variant functions as a server, actively listening for incoming client connections to establish remote access. The other operates as a client, initiating connections to hard-coded C2 servers to create a covert communication channel. This dual functionality allows the threat actors to maintain persistent access and control over compromised environments.
Beyond the backdoors, the Tick group’s campaign involves the strategic deployment of the Havoc post-exploitation framework. The initial infection vector often relies on DLL side-loading techniques, where a loader named OAED Loader is used to inject malicious payloads into legitimate running processes. This method helps evade detection and blend in with normal system activity.
Additionally, the attackers are utilizing a suite of tools to facilitate lateral movement within victim networks and exfiltrate sensitive data. These include goddi, an open-source tool for dumping Active Directory information, and the widely used 7-Zip utility for archiving data. Remote Desktop is also leveraged, allowing for direct control over compromised machines through the established backdoor tunnel.
In their efforts to exfiltrate harvested data, the threat actors have been documented accessing legitimate cloud services such as io, LimeWire, and Piping Server through web browser sessions during remote desktop operations. This approach disguises data transfer as normal network traffic, making it harder for security monitoring tools to identify.
Past Activities and Recommendations
This is not the first instance of the Tick group leveraging zero-day vulnerabilities. In October 2017, Secureworks, a Sophos-owned entity, reported on the group’s exploitation of a previously unpatched remote code execution vulnerability (CVE-2016-7836) in SKYSEA Client View, another Japanese IT asset management software. This historical pattern highlights the group’s consistent use of sophisticated and often undisclosed vulnerabilities to achieve its espionage objectives.
Regarding the current exploitation of the Motex Lanscope Endpoint Manager flaw, Sophos CTU recommends that organizations promptly upgrade their vulnerable Lanscope servers. Furthermore, security teams should thoroughly review any internet-facing Lanscope servers that have associated client programs or detection agents installed. A critical assessment of the business necessity for such public exposure is advised to mitigate unnecessary risks.
The ongoing activities of the Tick group, particularly their continued exploitation of significant vulnerabilities like CVE-2025-61932, underscore the persistent threat of cyber espionage. As this vulnerability is now publicly known, other threat actors may also attempt to leverage it. Organizations are urged to maintain vigilance, ensure timely patching, and implement robust security monitoring to detect and respond to potential intrusions.