440/68 Monday, November 3, 2025
Researchers from Sophos have reported that the China-linked cyber-espionage group Bronze Butler (also known as Tick) exploited a zero-day vulnerability in Motex Lanscope Endpoint Manager to distribute a new version of the Gokcpdoor malware designed to steal sensitive corporate information. The flaw, tracked as CVE-2025-61932, is a Request Origin Verification vulnerability that allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges on target machines through a specially crafted package.
Sophos found that the attacks began in mid-2025, well before Motex released a patch on October 20, 2025. The CISA later added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and ordered all U.S. federal agencies to patch affected systems by November 12, 2025. According to the report, Bronze Butler exploited the flaw to install Gokcpdoor, which establishes proxy connections to attacker-controlled command-and-control (C2) servers. The latest variant of Gokcpdoor drops the older KCP protocol and adds multiplexed C2 communication, improving its flexibility for remote control and data theft operations.
Sophos identified two variants of the malware: a server-side component listening on ports 38000 and 38002, and a client-side component connecting to predefined C2 servers. The malware is loaded through an OAED Loader and injected into legitimate processes using DLL sideloading to evade detection. The attackers also used tools such as goddi to extract data from Active Directory, and leveraged Remote Desktop and 7-Zip for data exfiltration to cloud storage services such as io, LimeWire, and Piping Server.
Sophos strongly urges organizations using Lanscope Endpoint Manager to update immediately to the latest version that patches CVE-2025-61932, as there are no available workarounds or temporary mitigations other than applying the official fix.
