BRONZE BUTLER exploits Japanese asset management software vulnerability

SUMMARY :

In mid-2025, a sophisticated campaign by the Chinese state-sponsored threat group BRONZE BUTLER (also known as Tick) exploited a zero-day vulnerability in Motex LANSCOPE Endpoint Manager. The vulnerability, CVE-2025-61932, allowed remote attackers to execute arbitrary commands with SYSTEM privileges. The threat actors used Gokcpdoor malware and the Havoc C2 framework for command and control. They also employed legitimate tools and services for lateral movement and data exfiltration, including goddi, remote desktop applications, and 7-Zip. Cloud storage services were accessed for potential data exfiltration. Organizations are advised to upgrade vulnerable LANSCOPE servers and review internet-facing servers with LANSCOPE components installed.

OPENCTI LABELS :

havoc,zero-day,cve-2025-61932,oaed loader,gokcpdoor,lanscope


AI COMMENTARY :

1. In mid-2025, security researchers uncovered a sophisticated campaign by the Chinese state-sponsored threat group BRONZE BUTLER, also tracked as Tick, targeting Japanese organizations that used Motex LANSCOPE Endpoint Manager. The attackers identified and weaponized a previously unknown zero-day flaw, CVE-2025-61932, giving them the ability to execute arbitrary commands with SYSTEM privileges on vulnerable servers. This high-impact exploit underscored the critical need for timely patching and vulnerability management in enterprise environments.

2. The zero-day vulnerability resided in the core functionality of LANSCOPE, a widely deployed asset management and monitoring platform in Japan. By crafting a carefully constructed request against an internet-facing LANSCOPE server, BRONZE BUTLER achieved remote code execution without any prior authentication. The campaign leveraged this gap to establish an initial foothold and to deploy additional tooling that would support prolonged access and privilege escalation throughout the compromised network.

3. Following the successful exploitation of CVE-2025-61932, the attackers deployed Gokcpdoor malware, a lightweight backdoor tailored for stealthy persistence. To orchestrate their operations at scale, they relied on the Havoc C2 framework, a modular command-and-control platform known for its flexibility and extensive plugin ecosystem. In parallel, analysis suggests that OAED Loader was also used to bootstrap additional payloads, demonstrating a multi-pronged approach to avoid detection and ensure reliable communications with external infrastructure.

4. Once inside the targeted environment, BRONZE BUTLER turned to legitimate administrative tools and services to blend in with normal activity. They used goddi, remote desktop applications, and the ubiquitous 7-Zip utility for lateral movement and to pack stolen files for exfiltration. By keeping their toolset rooted in widely trusted software, the adversary reduced the risk of raising alarms with conventional security controls, complicating efforts to identify and disrupt their progress.

5. The campaign also featured staged data exfiltration to cloud storage services, allowing threat actors to offload aggregated information in a manner that evaded traditional perimeter defenses. By capitalizing on popular, legitimate cloud platforms, BRONZE BUTLER minimized anomalous network signatures and leveraged encryption and trusted SSL channels to conceal the transfer of sensitive data collected from compromised hosts.

6. To mitigate the risk posed by this campaign and similar threat activity, organizations running Motex LANSCOPE Endpoint Manager must immediately apply the vendor’s security update that patches CVE-2025-61932. In addition, security teams should conduct a thorough review of all internet-facing servers hosting LANSCOPE components, deploy enhanced monitoring for unusual tool usage, and verify that no legacy or unused remote access solutions remain enabled. Proactive threat hunting for indicators associated with Gokcpdoor, Havoc, and OAED Loader can further strengthen defenses against state-sponsored adversaries seeking to exploit zero-day vulnerabilities.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


BRONZE BUTLER exploits Japanese asset management software vulnerability