"The vulnerability, tracked as CVE-2025-61932 (CVSS score: 9.3), allows remote attackers to execute arbitrary commands with SYSTEM privileges on on-premise versions of the program. JPCERT/CC, in an alert issued this month, said that it has confirmed reports of active abuse of the security defect to drop a backdoor on compromised systems. Tick, also known as Bronze Butler, Daserf, REDBALDKNIGHT, Stalker Panda,"
"The sophisticated campaign, observed by Sophos, involved the exploitation of CVE-2025-61932 to deliver a known backdoor referred to as Gokcpdoor that can establish a proxy connection with a remote server and act as a backdoor to execute malicious commands on the compromised host. "The 2025 variant discontinued support for the KCP protocol and added multiplexing communication using a third-party library [ smux] for its C2 [command-and-control] communication," the Sophos Counter Threat Unit (CTU) said in a Thursday report."
CVE-2025-61932 (CVSS 9.3) enables remote attackers to execute arbitrary commands with SYSTEM privileges on on-premise Motex Lanscope Endpoint Manager. JPCERT/CC confirmed active abuse that drops a backdoor. The activity is attributed to Tick, a suspected Chinese cyber espionage actor with aliases including Bronze Butler and Stalker Panda, active against East Asia and Japan since at least 2006. Sophos observed exploitation delivering the Gokcpdoor backdoor, which can create proxy connections and run commands. Two Gokcpdoor types were identified: a server that listens for clients and a client that connects to hard-coded C2 servers. The 2025 variant removed KCP support and added smux multiplexing. The campaign deployed the Havoc post-exploitation framework and used DLL side-loading to run an OAED Loader to inject payloads. Some other tools include goddi.
#cve-2025-61932 #motex-lanscope-endpoint-manager #tick-chinese-cyber-espionage #gokcpdoor-backdoor #havoc-framework
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]