Security researchers have attributed exploitation of a critical vulnerability in Motex Lanscope Endpoint Manager to a cyber espionage group known as Tick. JPCERT/CC has confirmed active abuse of the flaw, tracked as CVE-2025-61932 and rated with a CVSS score of 9.3, to install persistent backdoors on on-premise instances.
The campaign used the Lanscope vulnerability to deliver a backdoor identified as Gokcpdoor, which can establish proxy connections and execute commands on compromised hosts, according to analysis by Sophos and other responders. The backdoor has distinct implementations for server and client roles that enable remote access and covert command-and-control channels respectively; more information is available in a report linked to the researchers’ findings.
Researchers observed that a 2025 variant of Gokcpdoor removed support for the KCP protocol and added multiplexing via a third-party library, using the open source smux project for C2 communications. The campaign also relies on DLL side-loading to run a loader named OAED Loader that injects payloads into target processes.
Post-compromise activity included deployment of the Havoc post-exploitation framework on selected systems and use of tools to facilitate lateral movement and data theft. The threat actors used an Active Directory information-dumping tool, Remote Desktop over backdoor tunnels, and archiving utilities; the AD tool observed in the wild matches the open-source project goddi.
The group, tracked under multiple names including Bronze Butler and Stalker Panda and assessed to have operated since at least 2006, has exploited zero-day vulnerabilities in the past. A 2017 campaign that used an unpatched flaw in Japanese IT asset management software was previously described in research published by another security firm detailed in incident analysis.
Responders advise organisations to upgrade vulnerable Lanscope servers and to review whether Lanscope components need to be internet-exposed.