sophos.com
October 30, 2025

The threat group targeted a LANSCOPE zero-day vulnerability (CVE-2025-61932)

In mid-2025, Counter Threat Unit™ (CTU) researchers observed a sophisticated BRONZE BUTLER campaign that exploited a zero-day vulnerability in Motex LANSCOPE Endpoint Manager to steal confidential information. The Chinese state-sponsored BRONZE BUTLER threat group (also known as Tick) has been active since 2010 and previously exploited a zero-day vulnerability in Japanese asset management product SKYSEA Client View in 2016. JPCERT/CC published a notice about the LANSCOPE issue on October 22, 2025.

Exploitation of CVE-2025-61932
In the 2025 campaign, CTU™ researchers confirmed that the threat actors gained initial access by exploiting CVE-2025-61932. This vulnerability allows remote attackers to execute arbitrary commands with SYSTEM privileges. CTU analysis indicates that the number of vulnerable internet-facing devices is low. However, attackers could exploit vulnerable devices within compromised networks to conduct privilege escalation and lateral movement. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61932 to the Known Exploited Vulnerabilities Catalog on October 22.

Command and control
CTU researchers confirmed that the threat actors used the Gokcpdoor malware in this campaign. As reported by a third party in 2023, Gokcpdoor can establish a proxy connection with a command and control (C2) server as a backdoor. The 2025 variant discontinued support for the KCP protocol and added multiplexing communication using a third-party library for its C2 communication (see Figure 1).

Comparison of function names in Gokcpdoor samples

Figure 1: Comparison of internal function names in the 2023 (left) and 2025 (right) Gokcpdoor samples

Furthermore, CTU researchers identified two different types of Gokcpdoor with distinct purposes:

The server type listens for incoming client connections, opening the port specified in its configuration. Some of the analyzed samples used 38000 while others used 38002. The C2 functionality enabled remote access.
The client type initiates connections to hard-coded C2 servers, establishing a communication tunnel to function as a backdoor.
On some compromised hosts, BRONZE BUTLER implemented the Havoc C2 framework instead of Gokcpdoor. Some Gokcpdoor and Havoc samples used the OAED Loader malware, which was also linked to BRONZE BUTLER in the 2023 report, to complicate the execution flow. This malware injects a payload into a legitimate executable according to its embedded configuration (see Figure 2).

Visual representation of execution flow that utilizes OAED Loader

Figure 2: Execution flow utilizing OAED Loader

Abuse of legitimate tools and services
CTU researchers also confirmed that the following tools were used for lateral movement and data exfiltration:

goddi (Go dump domain info) – An open-source Active Directory information dumping tool
Remote desktop – A legitimate remote desktop application used through a backdoor tunnel
7-Zip – An open-source file archiver used for data exfiltration
BRONZE BUTLER also accessed the following cloud storage services via the web browser during remote desktop sessions, potentially attempting to exfiltrate the victim’s confidential information:

file.io
LimeWire
Piping Server
Recommendations
CTU researchers recommend that organizations upgrade vulnerable LANSCOPE servers as appropriate in their environments. Organizations should also review internet-facing LANSCOPE servers that have the LANSCOPE client program (MR) or detection agent (DA) installed to determine if there is a business need for them to be publicly exposed.

Detections and indicators
The following Sophos protections detect activity related to this threat:

Torj/BckDr-SBL
Mal/Generic-S
The threat indicators in Table 1 can be used to detect activity related to this threat. Note that IP addresses can be reallocated. The IP addresses may contain malicious content, so consider the risks before opening them in a browser.

Indicator Type Context
932c91020b74aaa7ffc687e21da0119c MD5 hash Gokcpdoor variant used by BRONZE BUTLER
(oci.dll)
be75458b489468e0acdea6ebbb424bc898b3db29 SHA1 hash Gokcpdoor variant used by BRONZE BUTLER
(oci.dll)
3c96c1a9b3751339390be9d7a5c3694df46212fb97ebddc074547c2338a4c7ba SHA256 hash Gokcpdoor variant used by BRONZE BUTLER
(oci.dll)
4946b0de3b705878c514e2eead096e1e MD5 hash Havoc sample used by BRONZE BUTLER
(MaxxAudioMeters64LOC.dll)
1406b4e905c65ba1599eb9c619c196fa5e1c3bf7 SHA1 hash Havoc sample used by BRONZE BUTLER
(MaxxAudioMeters64LOC.dll)
9e581d0506d2f6ec39226f052a58bc5a020ebc81ae539fa3a6b7fc0db1b94946 SHA256 hash Havoc sample used by BRONZE BUTLER
(MaxxAudioMeters64LOC.dll)
8124940a41d4b7608eada0d2b546b73c010e30b1 SHA1 hash goddi tool used by BRONZE BUTLER
(winupdate.exe)
704e697441c0af67423458a99f30318c57f1a81c4146beb4dd1a88a88a8c97c3 SHA256 hash goddi tool used by BRONZE BUTLER
(winupdate.exe)
38[.]54[.]56[.]57 IP address Gokcpdoor C2 server used by BRONZE BUTLER;
uses TCP port 443
38[.]54[.]88[.]172 IP address Havoc C2 server used by BRONZE BUTLER;
uses TCP port 443
38[.]54[.]56[.]10 IP address Connected to ports opened by Gokcpdoor variant
used by BRONZE BUTLER
38[.]60[.]212[.]85 IP address Connected to ports opened by Gokcpdoor variant
used by BRONZE BUTLER
108[.]61[.]161[.]118 IP address Connected to ports opened by Gokcpdoor variant
used by BRONZE BUTLER

news.sophos.com Written by Sophos Counter Threat Unit Research Team
August 26, 2025
This approach represents an evolution from threat actors abusing remote monitoring and management tools

In August 2025, Counter Threat Unit™ (CTU) researchers investigated an intrusion that involved deployment of the legitimate open-source Velociraptor digital forensics and incident response (DFIR) tool. In this incident, the threat actor used the tool to download and execute Visual Studio Code with the likely intention of creating a tunnel to an attacker-controlled command and control (C2) server. Enabling the tunnel option in Visual Studio Code triggered a Taegis™ alert, as this option can allow both remote access and remote code execution and has been abused by multiple threat groups in the past.

The threat actor used the Windows msiexec utility to download an installer (v2.msi) from a Cloudflare Workers domain (files[.]qaubctgg[.]workers[.]dev). This location appears to be a staging folder for attacker tools, including the Cloudflare tunneling tool and the Radmin remote administration tool. This file installed Velociraptor, which is configured to communicate with C2 server velo[.]qaubctgg[.]workers[.]dev. The attacker then used an encoded PowerShell command to download Visual Studio Code (code.exe) from the same staging folder and executed it with the tunnel option enabled. The threat actor installed code.exe as a service and redirected the output to a log file. They then used the msiexec Windows utility again to download additional malware (sc.msi) from the workers[.]dev folder (see Figure 1).

Velociraptor creating Visual Studio Code tunnel

Figure 1: Process tree showing Velociraptor creating Visual Studio Code tunnel.

The Visual Studio Code tunneling activity triggered a Taegis alert that prompted a Sophos investigation. The analysts provided mitigation advice that enabled the customer to quickly implement remediations such as isolating the affected host, which prevented the attacker from achieving their objectives. Analysis suggests that the malicious activity would likely have led to ransomware deployment.

Threat actors often abuse remote monitoring and management (RMM) tools. In some instances, they leverage preexisting tools on the targeted systems. In others, they deploy the tools during the attack. The Velociraptor incident reveals attackers pivoting to using incident response tools to gain a foothold in a network and minimize the amount of malware they deploy.

Organizations should monitor for and investigate unauthorized use of Velociraptor and treat observations of this tradecraft as a precursor to ransomware. Implementing an endpoint detection and response system, monitoring for unexpected tools and suspicious behaviors, and following best practices for securing systems and generating backups can mitigate the ransomware threat. The impact of an attack is greatly reduced if it is caught prior to ransomware deployment.

The following Sophos protections detect activity related to this threat:

Troj/Agent-BLMR
Troj/BatDl-PL
Troj/Mdrop-KDK
To mitigate exposure to this malware, CTU™ researchers recommend that organizations use available controls to review and restrict access using the indicators listed in Table 1. The domains may contain malicious content, so consider the risks before opening them in a browser.

Indicator Type Context
files[.]qaubctgg[.]workers[.]dev Domain name Hosted tools used in August 2025 Velociraptor campaign
velo[.]qaubctgg[.]workers[.]dev Domain name C2 server used in August 2025 Velociraptor campaign
Table 1: Indicators for this threat.