Ethical Hacking News
The Tick Group has launched a sophisticated espionage campaign leveraging a critical Lanscope zero-day flaw, compromising corporate systems and stealing sensitive data. This attack highlights the importance of keeping all systems up-to-date, monitoring for potential threats, and adopting a layered approach to security.
The China-linked cyber espionage group "Tick" has been exploiting a critical security flaw in Motex Lanscope Endpoint Manager to hijack corporate systems. The vulnerability, CVE-2025-61932, allows remote attackers to execute arbitrary commands with SYSTEM privileges on on-premise versions of the program. Tick is suspected to be based in China and has been active since at least 2006, targeting East Asia, particularly Japan. The attack campaign involved the exploitation of CVE-2025-61932 to deliver a known backdoor referred to as Gokcpdoor. The threat actors used various tools, including Havoc post-exploitation framework and goddi, an open-source Active Directory information dumping tool. Tick also accessed cloud services via web browsers during remote desktop sessions to exfiltrate harvested data. Organizations should review internet-facing Lanscope servers and keep all systems and software up-to-date to prevent similar attacks.
In a recent development that has sent shockwaves through the cybersecurity community, a China-linked cyber espionage group known as Tick (also referred to by its various aliases such as Bronze Butler, Daserf, REDBALDKNIGHT, Stalker Panda, Stalker Taurus, and Swirl Typhoon) has been observed exploiting a critical security flaw in Motex Lanscope Endpoint Manager to hijack corporate systems. The vulnerability, tracked as CVE-2025-61932 (CVSS score: 9.3), allows remote attackers to execute arbitrary commands with SYSTEM privileges on on-premise versions of the program.
The exploitation of this zero-day flaw has been attributed to Tick, a sophisticated cyber espionage actor that is suspected to be based in China and has been active since at least 2006. The group's extensive targeting of East Asia, particularly Japan, has made it a focus of interest for cybersecurity experts and researchers in the region.
The attack campaign, observed by Sophos, involved the exploitation of CVE-2025-61932 to deliver a known backdoor referred to as Gokcpdoor that can establish a proxy connection with a remote server and act as a backdoor to execute malicious commands on the compromised host. The backdoor in question was found to have two distinct types - a server type that listens for incoming client connections to enable remote access, and a client type that initiates connections to hard-coded C2 servers with the goal of setting up a covert communication channel.
The attack also relies on the deployment of the Havoc post-exploitation framework on select systems, with the infection chains relying on DLL side-loading to launch a DLL loader named OAED Loader to inject the payloads. Additionally, some of the other tools utilized in the attack to facilitate lateral movement and data exfiltration include goddi, an open-source Active Directory information dumping tool; Remote Desktop, for remote access through a backdoor tunnel; and 7-Zip.
Furthermore, the threat actors have also been found to access cloud services such as io, LimeWire, and Piping Server via the web browser during remote desktop sessions in an effort to exfiltrate the harvested data. This indicates that Tick is not only focused on exploiting vulnerabilities in software but also on using these platforms to further their nefarious objectives.
The exploitation of a critical security flaw like CVE-2025-61932 highlights the importance of keeping all systems and software up-to-date, particularly those with remote access capabilities. Organizations should review internet-facing Lanscope servers that have the Lanscope client program (MR) or detection agent (DA) installed to determine if there is a business need for them to be publicly exposed.
In addition, the fact that this attack campaign leverages a zero-day flaw underscores the importance of staying vigilant and proactive in monitoring for potential threats. As cybersecurity threats continue to evolve and become increasingly sophisticated, it will be crucial for organizations to adopt a layered approach to security, incorporating both traditional defenses as well as cutting-edge technologies and techniques.
In conclusion, the latest attack campaign attributed to Tick serves as a stark reminder of the ongoing threat landscape and the need for cybersecurity awareness and vigilance. By understanding the tactics, techniques, and procedures (TTPs) employed by groups like Tick and staying ahead of the threats, organizations can take proactive steps to protect themselves against potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Tick-Groups-Latest-Slew-A-Sophisticated-Espionage-Campaign-Leveraging-a-Critical-Lanscope-Zero-Day-ehn.shtml
https://thehackernews.com/2025/10/china-linked-tick-group-exploits.html
https://nvd.nist.gov/vuln/detail/CVE-2025-61932
https://www.cvedetails.com/cve/CVE-2025-61932/
Published: Fri Oct 31 09:51:38 2025 by llama3.2 3B Q4_K_M
