Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Tick Motex Lanscope CVE-2025-61932 exploitation campaign

Campaign
First reported
Last updated
Happening score
H score 54
1 unique sources, 1 articles

Summary

Hide ▲

A Tick (Bronze Butler) campaign exploited CVE-2025-61932 in Motex Lanscope Endpoint Manager to deploy Gokcpdoor and gain remote access to compromised hosts. The operation enabled SYSTEM-level command execution, covert proxying, and follow-on tooling for lateral movement and data exfiltration. JPCERT/CC confirmed active abuse, showing the campaign was already being used against on-premise deployments.

Cases

Motex Lanscope exploitation, backdoor activity, and remediation (3)

Related Happenings

Snow malware suite deployment by UNC6692

Malware Activity
First: 25.04.2026 18:07 Last: 25.04.2026 18:07 Sources 1

About this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...

Open Happening

UNC6485 Triofox CVE-2025-12480 exploitation campaign

Campaign
First: 10.11.2025 22:49 Last: 10.11.2025 22:49 Sources 1

About this happening: The **UNC6485** campaign is actively exploiting **CVE-2025-12480** in **Gladinet Triofox**, turning a patched flaw into unauthorized access and post-exploitation footholds. The ac...

Open Happening

Motex Lanscope Endpoint Manager actively exploited source verification RCE (CVE-2025-61932)

Vulnerability
First: 23.10.2025 08:37 Last: 23.10.2025 08:37 Sources 1

How related: The vulnerability, tracked as CVE-2025-61932 (CVSS score: 9.3), allows remote attackers to execute arbitrary commands with SYSTEM privileges on on-premise versions of the program.

About this happening: **CVE-2025-61932** is a critical **Motex Lanscope Endpoint Manager** vulnerability that was **actively exploited** as a **zero-day** by **Tick/BRONZE BUTLER** against **on-premise...

Open Happening

Velociraptor DFIR abuse for ransomware persistence

Malware Activity
First: 09.10.2025 22:31 Last: 09.10.2025 22:31 Sources 1

About this happening: The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...

Open Happening

Timeline

  1. 31.10.2025 15:26 2 articles · 6mo ago

    Tick exploits CVE-2025-61932 in Motex Lanscope Endpoint Manager

    Initial Disclosure

    Tick is exploiting CVE-2025-61932 in on-premise Motex Lanscope Endpoint Manager systems to execute arbitrary commands with SYSTEM privileges and drop the Gokcpdoor backdoor. JPCERT/CC confirms active abuse of the flaw, and Sophos ties the activity to a cyber espionage campaign associated with Tick, also known as Bronze Butler, Daserf, REDBALDKNIGHT, Stalker Panda, Stalker Taurus, and Swirl Typhoon.

    Show sources
    Open in new tab