The threat centers on a critical zero-day vulnerability identified as CVE-2025-61932 in Motex Lanscope Endpoint Manager, a widely used endpoint management solution. This vulnerability allows remote attackers to execute arbitrary commands with SYSTEM privileges on on-premise Lanscope servers, effectively granting full control over affected systems. The exploitation has been attributed to the Tick group, a sophisticated Chinese cyber espionage actor active since at least 2006, known for targeting East Asian entities but now expanding its reach. The attackers use the vulnerability to deploy a backdoor named Gokcpdoor, which supports multiplexed communication channels via the smux library, replacing older protocols to evade detection. Gokcpdoor operates in two modes: a server type that listens for incoming connections and a client type that initiates connections to hard-coded command-and-control servers, enabling covert remote control. The attack chain involves DLL side-loading to launch a loader called OAED Loader, which injects malicious payloads. Post-exploitation tools include the Havoc framework for further system control, goddi for Active Directory information gathering, and Remote Desktop for lateral movement through backdoor tunnels. Data exfiltration is facilitated by accessing cloud services such as io, LimeWire, and Piping Server during remote desktop sessions. This campaign reflects Tick’s continued use of zero-day exploits to compromise high-value targets, emphasizing the criticality of this Lanscope vulnerability. The lack of publicly available patches at the time of reporting and the exposure of Lanscope servers to the internet exacerbate the risk.

For European organizations, the exploitation of this Lanscope zero-day poses severe risks including full system compromise, unauthorized data access, and espionage. Organizations relying on Lanscope Endpoint Manager for IT asset management and endpoint security could see critical infrastructure and sensitive data exposed. The SYSTEM-level code execution enables attackers to bypass most security controls, deploy persistent backdoors, and move laterally within networks, increasing the likelihood of widespread compromise. The use of advanced post-exploitation tools and cloud services for data exfiltration complicates detection and response efforts. Given the espionage nature of Tick, organizations in sectors such as government, defense, technology, and critical infrastructure are particularly at risk. The potential for intellectual property theft, disruption of operations, and reputational damage is significant. Additionally, the exposure of Lanscope servers to the internet increases the attack surface, making European entities with public-facing Lanscope deployments especially vulnerable.

European organizations should immediately identify and isolate all Lanscope Endpoint Manager servers, especially those exposed to the internet. Until official patches are available, organizations should implement network segmentation to restrict Lanscope server access to trusted internal networks only. Employ strict firewall rules to block external access to Lanscope management ports and services. Conduct thorough audits to detect any signs of compromise, including unusual DLL loads, presence of Gokcpdoor backdoors, and anomalous network traffic indicative of smux multiplexing or communication with known C2 servers. Deploy endpoint detection and response (EDR) tools capable of detecting DLL side-loading and post-exploitation frameworks like Havoc. Enhance monitoring of Active Directory queries and Remote Desktop sessions for suspicious activity. Implement strict credential hygiene and multi-factor authentication to limit lateral movement. Regularly update and patch Lanscope software as soon as vendors release fixes. Finally, conduct threat hunting exercises focused on IoCs related to Tick group activity and educate security teams on this specific threat vector.