BRONZE BUTLER exploited a zero-day in Motex LANSCOPE Endpoint Manager (CVE-2025-61932) to gain SYSTEM-level remote command execution, deploy backdoors (Gokcpdoor and Havoc), and steal confidential information from compromised networks. CTU observed use of OAED Loader, goddi, remote desktop tunnels, and cloud storage services for exfiltration and recommends patching LANSCOPE and reviewing internet-facing instances. #CVE-2025-61932 #Gokcpdoor
Keypoints
- BRONZE BUTLER (also known as Tick) exploited CVE-2025-61932 in Motex LANSCOPE Endpoint Manager to achieve SYSTEM-level command execution and initial access.
- CTU confirmed the campaign used Gokcpdoor as a primary backdoor, with variants acting as server (listening on ports like 38000/38002) and client (connecting to hard-coded C2s).
- Some compromised hosts used the Havoc C2 framework instead of Gokcpdoor; both families were observed alongside OAED Loader to obscure execution flow.
- Attackers abused legitimate tools for lateral movement and exfiltration, including goddi (AD info dumping), remote desktop over backdoor tunnels, and 7-Zip for packaging data.
- Threat actors accessed cloud storage services via browser during remote sessions (io, LimeWire, Piping Server), likely to stage or exfiltrate stolen data.
- CISA added CVE-2025-61932 to its Known Exploited Vulnerabilities Catalog on October 22; JPCERT/CC also published a notice about the LANSCOPE issue.
- CTU recommends upgrading vulnerable LANSCOPE servers and reviewing internet-facing servers with LANSCOPE client (MR) or detection agent (DA) installed for exposure risk.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – BRONZE BUTLER exploited CVE-2025-61932 in Motex LANSCOPE Endpoint Manager to execute arbitrary commands as SYSTEM (“…allows remote attackers to execute arbitrary commands with SYSTEM privileges.”)
- [T1210] Exploitation of Remote Services – Attackers exploited vulnerable devices within compromised networks to escalate privileges and move laterally (“…attackers could exploit vulnerable devices within compromised networks to conduct privilege escalation and lateral movement.”)
- [T1105] Ingress Tool Transfer – OAED Loader injected payloads into legitimate executables according to embedded configuration to deliver additional malware (“…injects a payload into a legitimate executable according to its embedded configuration.”)
- [T1071] Application Layer Protocol – Gokcpdoor and Havoc used multiplexed C2 communication and removed previous KCP support to communicate with C2 servers (“…discontinued support for the KCP protocol and added multiplexing communication using a third-party library for its C2 communication.”)
- [T1021] Remote Services – Remote desktop was used over backdoor tunnels for remote access and likely data access/exfiltration (“Remote desktop – A legitimate remote desktop application used through a backdoor tunnel”)
- [T1005] Data from Local System / [T1041] Exfiltration Over C2 Channel – 7-Zip was used to archive data and backdoor/C2 channels (Gokcpdoor/Havoc) and cloud storage via browser were used to exfiltrate confidential information (“7-Zip – An open-source file archiver used for data exfiltration”; “accessed the following cloud storage services via the web browser during remote desktop sessions, potentially attempting to exfiltrate the victim’s confidential information.”)
- [T1086] PowerShell (or Command Execution) – The zero-day allowed arbitrary command execution as SYSTEM, enabling execution of commands on compromised hosts (“…allows remote attackers to execute arbitrary commands with SYSTEM privileges.”)
Indicators of Compromise
- [File hash] Gokcpdoor oci.dll samples – MD5 932c91020b74aaa7ffc687e21da0119c, SHA256 3c96c1a9b3751339390be9d7a5c3694df46212fb97ebddc074547c2338a4c7ba
- [File hash] Havoc MaxxAudioMeters64LOC.dll samples – MD5 4946b0de3b705878c514e2eead096e1e, SHA256 9e581d0506d2f6ec39226f052a58bc5a020ebc81ae539fa3a6b7fc0db1b94946
- [File hash] goddi tool (disguised as winupdate.exe) – SHA1 8124940a41d4b7608eada0d2b546b73c010e30b1, SHA256 704e697441c0af67423458a99f30318c57f1a81c4146beb4dd1a88a88a8c97c3
- [IP address] Gokcpdoor / Havoc C2 servers – 38[.]54[.]56[.]57 (Gokcpdoor, TCP 443), 38[.]54[.]88[.]172 (Havoc, TCP 443)
- [IP address] Connected hosts / opened ports – 38[.]54[.]56[.]10, 38[.]60[.]212[.]85, and 108[.]61[.]161[.]118 (observed connecting to ports opened by Gokcpdoor variants)