LANSCOPE Endpoint Manager Zero Day Vulnerability Exploited by Threat Actors to Steal Data
Counter Threat Unit researchers confirmed that attackers gained initial access by exploiting CVE-2025-61932, a critical flaw with a CVSS 3.0 score of 9.8 that allows remote attackers to execute arbitrary code with SYSTEM privileges.
The vulnerability affects LANSCOPE Endpoint Manager (On-Premises) version 9.4.7.1 and earlier, explicitly targeting the client program (MR) and detection agent (DA) components.
JPCERT/CC confirmed that exploitation attempts began in April 2025, with malicious packet reception observed on specific ports across Japanese customer environments. The U.S.
Cybersecurity and Infrastructure Security Agency (CISA) formally added CVE-2025-61932 to its Known Exploited Vulnerabilities Catalog on October 22, 2025, following JPCERT/CC’s notification on the same date.
While the number of vulnerable internet-facing devices remains relatively low, researchers indicate that compromised systems could serve as pivot points for privilege escalation and lateral movement within corporate networks.
CTU researchers identified that BRONZE BUTLER deployed Gokcpdoor, a sophisticated backdoor malware used as a command-and-control infrastructure.
The 2025 variant evolved significantly from previous iterations, discontinuing support for the KCP protocol and implementing multiplexed communication via a third-party library, thereby enhancing stealth capabilities.
Analysis revealed two distinct Gokcpdoor configurations: a server variant that listens for incoming client connections on ports 38000 and 38002, and a client variant that initiates connections to hardcoded C2 servers to establish persistent backdoor access.
On some compromised systems, threat actors deployed the Havoc C2 framework instead of Gokcpdoor, with select samples utilizing OAED Loader malware to obscure execution flows by injecting payloads into legitimate executables.
The campaign demonstrated sophisticated operational security by rotating between multiple command-and-control infrastructure addresses: 38.54.56.57 and 38.54.88.172, both communicating via TCP port 443, while additional command sources operated from 38.54.56.10, 38.60.212.85, and 108.61.161.118.
BRONZE BUTLER leveraged both legitimate tools and cloud storage services to exfiltrate compromised data.
Researchers confirmed that threat actors used goddi (Go dump domain info) for Active Directory enumeration, legitimate remote desktop applications via backdoor tunnels, and 7-Zip for compression and exfiltration.
The actors also accessed cloud storage platforms, including file.io, LimeWire, and Piping Server, via web browsers during remote desktop sessions, demonstrating intent to extract confidential information from victim organizations.
Organizations operating internet-facing LANSCOPE installations should immediately review business justification for public exposure, apply available security updates to all client systems, and monitor for connections to the identified C2 infrastructure.
This campaign exemplifies BRONZE BUTLER’s persistent targeting of Japanese industries, following their exploitation of SKYSEA Client View zero-days in 2016.
| Indicator | Type | Context |
| 932c91020b74aaa7ffc687e21da0119c | MD5 hash | Gokcpdoor variant used by BRONZE BUTLER (oci.dll) |
| be75458b489468e0acdea6ebbb424bc898b3db29 | SHA1 hash | Gokcpdoor variant used by BRONZE BUTLER (oci.dll) |
| 3c96c1a9b3751339390be9d7a5c3694df46212fb97ebddc074547c2338a4c7ba | SHA256 hash | Gokcpdoor variant used by BRONZE BUTLER (oci.dll) |
| 4946b0de3b705878c514e2eead096e1e | MD5 hash | Havoc sample used by BRONZE BUTLER (MaxxAudioMeters64LOC.dll) |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post LANSCOPE Endpoint Manager Zero Day Vulnerability Exploited by Threat Actors to Steal Data appeared first on Cyber Security News.
Zen Media, an AI visibility agency has launched GEO GPT, a new diagnostic tool designed…
Some interesting research was published last week, with more to come this week. Logicalis released…
Enterprise technology environments now are more complex than at any point in the past decade.…
It’s hard to even know where to start with an RPG as deep as Monster…
Today, I’m talking with Chris Cocks, CEO of Hasbro. You know, Hasbro — the toy…
Fortnite has confirmed that The Foundation, its heroic character voiced by Dwayne "The Rock" Johnson,…
This website uses cookies.