Zero-Day Exploitation: How China-Linked Hackers Used Lanscope Vulnerability in Cyber Attacks

China-Linked Cyber-Espionage Group Exploits Motex Lanscope Endpoint Manager Vulnerability

Recently, researchers at Sophos uncovered a cyber-espionage campaign conducted by a China-linked threat actor known as ‘Bronze Butler’ (Tick). This group leveraged a zero-day vulnerability in Motex Lanscope Endpoint Manager to deploy an updated version of their Gokcpdoor malware.

The vulnerability, identified as CVE-2025-61932, affects Motex Lanscope Endpoint Manager versions 9.4.7.2 and earlier. It allows attackers to execute arbitrary code on a target system with SYSTEM privileges through specially crafted packets.

Following the discovery of these attacks, Motex released patches for CVE-2025-61932 on October 20, 2025. The Cybersecurity and Infrastructure Security Agency (CISA) also included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the patches by November 12, 2025.

Although specific details about the exploitation were not disclosed by the vendor or CISA, Sophos’ research indicates that hackers had been exploiting CVE-2025-61932 for several months prior to its discovery.

Bronze Butler utilized this vulnerability to deploy Gokcpdoor malware, which establishes a proxy connection with the attackers’ command-and-control (C2) infrastructure. The latest version of Gokcpdoor seen in these attacks includes multiplexed C2 communication, dropping support for the KCP protocol.

Sophos researchers identified two variants of the Gokcpdoor malware: a server implementation that listens on ports 38000 and 38002, and a client that connects to predefined C2 addresses to function as a backdoor. The malware was loaded via OAED Loader and injected into legitimate executables using DLL sideloading for evasion.

Additionally, Bronze Butler employed tools like the goddi Active Directory dumper, Remote Desktop, and the 7-Zip archiver for data exfiltration. Cloud-based storage services such as io, LimeWire, and Piping Server were used as exfiltration points.

Organizations using Lanscope Endpoint Manager are advised to update their clients to a version that addresses CVE-2025-61932. As there are no workarounds available, patching is the only recommended action against this critical vulnerability.

Are you planning your cybersecurity budget for the upcoming year? Discover insights from over 300 CISOs and security leaders on how they’re prioritizing spending and strategies for 2026. Download the comprehensive report now!

Download Now