Full Report
In mid-2025, Secureworks Counter Threat Unit (CTU) researchers uncovered a sophisticated cyber campaign where Chinese state-sponsored threat actors from the BRONZE BUTLER group exploited a critical zero-day vulnerability in Motex LANSCOPE Endpoint Manager to gain unauthorized access to corporate networks and extract sensitive data. The discovery marks another chapter in a long-running pattern of exploitation […] The post Threat Actors Exploit LANSCOPE Endpoint Manager Zero-Day Vulnerability to Steal Confidential Data appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Analysis Summary
# Incident Report: BRONZE BUTLER Zero-Day Exploitation of LANSCOPE Manager
## Executive Summary
In mid-2025, the Chinese state-sponsored threat group BRONZE BUTLER exploited a critical zero-day vulnerability (CVE-2025-61932) in Motex LANSCOPE Endpoint Manager to gain network access and exfiltrate sensitive data. The sophisticated campaign primarily targeted Japanese organizations. The exploitation allowed for remote command execution with SYSTEM-level privileges, facilitated data compression via 7-Zip, and utilized cloud storage services for data exfiltration, although specific containment and eradication details from the discovery phase are limited in scope.
## Incident Details
- **Discovery Date:** Mid-2025 (Uncovered by Secureworks CTU)
- **Incident Date:** Commencing mid-2025 (Exploitation occurred prior to official disclosure)
- **Affected Organization:** Organizations running Motex LANSCOPE Endpoint Manager (Specific victims not detailed, but focus on Japanese entities)
- **Sector:** Various corporate networks; historical focus on Japanese government entities.
- **Geography:** Global, with BRONZE BUTLER historically focusing on Japanese infrastructure.
## Timeline of Events
### Initial Access
- **Date/Time:** Mid-2025 (Prior to discovery)
- **Vector:** Exploitation of a critical zero-day vulnerability in Motex LANSCOPE Endpoint Manager (CVE-2025-61932).
- **Details:** The vulnerability allowed remote attackers to execute arbitrary commands with **SYSTEM-level privileges**.
### Lateral Movement
- **Date/Time:** Following initial access.
- **Vector:** Utilization of elevated privileges (SYSTEM) post-exploitation.
- **Details:** Threat actors leveraged their SYSTEM access to move laterally across enterprise networks, potentially leading to compromise of the entire infrastructure.
### Data Exfiltration/Impact
- **Date/Time:** Post-lateral movement.
- **Vector:** Use of cloud storage services (Piping Server and LimeWire).
- **Details:** Stolen data was compressed using **7-Zip** before being exfiltrated via web browser connections to cloud services accessed during remote sessions.
### Detection & Response
- **Date/Time:** Mid-2025 (Discovery by Secureworks CTU). October 22, 2025 (JPCERT/CC official disclosure).
- **Vector:** Threat intelligence analysis by Secureworks Counter Threat Unit (CTU).
- **Details:** JPCERT/CC officially disclosed the vulnerability on October 22, 2025. CISA added the exploit to its KEV catalog on the same day, signaling immediate risk remediation.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2025-61932 (LANSCOPE Endpoint Manager zero-day).
- **Persistence:** Implied through deployment of backdoors and the use of **OAED Loader** malware to inject payloads into legitimate executables for obfuscation.
- **Privilege Escalation:** Achieved immediately via the zero-day exploit, granting **SYSTEM-level privileges**.
- **Defense Evasion:** Utilization of OAED Loader to obscure execution flows and inject malware into legitimate processes.
- **Credential Access:** Not explicitly detailed, but high-level access suggests internal reconnaissance would follow.
- **Discovery:** Implied required for identifying valuable data post-exploitation within the network.
- **Lateral Movement:** Conducted using the established high privileges within the network.
- **Collection:** Stolen data was compressed using **7-Zip**.
- **Exfiltration:** Data transferred via cloud storage services **Piping Server** and **LimeWire**.
- **Impact:** Unauthorized data extraction and establishment of persistent access.
## Impact Assessment
- **Financial:** Unknown, but associated with the high cost of breach response and regulatory fines (especially targeting Japanese entities).
- **Data Breach:** Sensitive data extraction confirmed.
- **Operational:** Significant risk to operations due to potential for complete infrastructure compromise if LANSCOPE was widely deployed.
- **Reputational:** High due to the sophisticated, state-sponsored nature of the attack targeting established corporate infrastructure.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- Connections initiating data uploads to common cloud storage platforms (Piping Server domains, LimeWire domains) from unusual internal hosts.
- **File Indicators:**
- Presence of custom backdoors related to BRONZE BUTLER tooling.
- Execution artifacts of **OAED Loader** malware.
- Presence of compressed archives created by **7-Zip** staged for transfer.
- **Behavioral Indicators:**
- Remote execution of arbitrary commands via the LANSCOPE application service running with SYSTEM context.
- Use of embedded payloads within legitimate executable files.
## Response Actions
- **Containment Measures:** (Inferred based on disclosure) Patching or immediate disabling/isolation of all affected LANSCOPE Endpoint Manager instances. Blocking egress traffic to known cloud exfiltration points.
- **Eradication Steps:** (Inferred) Thorough scanning for backdoors and OAED Loader persistence mechanisms across all systems leveraging the SYSTEM privilege context.
- **Recovery Actions:** (Inferred) Rebuilding or restoring systems confirmed compromised based on established backdoors; comprehensive review of data access logs.
## Lessons Learned
- **Zero-Day Risk:** State-sponsored actors like BRONZE BUTLER maintain long-term focus on exploiting vulnerabilities in common, widely-deployed enterprise management software (historical precedent with SKYSEA Client View).
- **Privilege Impact:** Exploitation resulting in SYSTEM-level remote code execution presents an immediate catastrophic risk, bypassing most standard preventative controls.
- **Obfuscation:** The use of loaders (OAED Loader) to inject payloads into legitimate processes demonstrates advanced techniques aimed at evading EDR/AV solutions.
## Recommendations
- **Patch Management:** Implement rapid patching protocols specific to endpoint management solutions, especially those provided by vendors historically targeted by focused nation-state actors (e.g., Japanese software).
- **Network Segmentation:** Segment systems running critical management software like LANSCOPE and strictly limit outbound connections from these assets, particularly to consumer cloud storage services.
- **Application Monitoring:** Enhance monitoring for anomalous execution flows within legitimate binaries, specifically targeting behavior correlated with known loaders or command-and-control callback patterns.
- **Vulnerability Management:** Subscribe immediately to advisories from JPCERT/CC and CISA KEV catalog updates for high-priority vendor patching strategy alignment.