BRONZE BUTLER exploits Japanese asset management software vulnerability

Description

In mid-2025, a sophisticated campaign by the Chinese state-sponsored threat group BRONZE BUTLER (also known as Tick) exploited a zero-day vulnerability in Motex LANSCOPE Endpoint Manager. The vulnerability, CVE-2025-61932, allowed remote attackers to execute arbitrary commands with SYSTEM privileges. The threat actors used Gokcpdoor malware and the Havoc C2 framework for command and control. They also employed legitimate tools and services for lateral movement and data exfiltration, including goddi, remote desktop applications, and 7-Zip. Cloud storage services were accessed for potential data exfiltration. Organizations are advised to upgrade vulnerable LANSCOPE servers and review internet-facing servers with LANSCOPE components installed.