Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Tick Motex Lanscope CVE-2025-61932 exploitation campaign

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

A Tick (Bronze Butler) campaign exploited CVE-2025-61932 in Motex Lanscope Endpoint Manager to deploy Gokcpdoor and gain remote access to compromised hosts. The operation enabled SYSTEM-level command execution, covert proxying, and follow-on tooling for lateral movement and data exfiltration. JPCERT/CC confirmed active abuse, showing the campaign was already being used against on-premise deployments.

Cases

Motex Lanscope exploitation, backdoor activity, and remediation (3)

Related Happenings

Flowise Custom MCP RCE (CVE-2026-40933)

Vulnerability
H score31 First: 01.06.2026 17:00 Last: 01.06.2026 17:00 Sources 1

About this happening: A **critical RCE flaw** in **Flowise** tracked as **CVE-2026-40933** lets an attacker take over **self-hosted deployments** when a logged-in user imports a **malicious workflow fi...

Open Happening

Snow malware suite deployment by UNC6692

Malware Activity
H score29 First: 25.04.2026 18:07 Last: 25.04.2026 18:07 Sources 1

About this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...

Open Happening

Marimo CVE-2026-39987 exploitation wave

Exploitation Wave
H score51 First: 12.04.2026 17:20 Last: 12.04.2026 17:20 Sources 1

About this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...

Open Happening

UNC6485 Triofox CVE-2025-12480 exploitation campaign

Campaign
H score40 First: 10.11.2025 22:49 Last: 10.11.2025 22:49 Sources 1

About this happening: The **UNC6485** campaign is actively exploiting **CVE-2025-12480** in **Gladinet Triofox**, turning a patched flaw into unauthorized access and post-exploitation footholds. The ac...

Open Happening

Motex Lanscope Endpoint Manager actively exploited source verification RCE (CVE-2025-61932)

Vulnerability
H score52 First: 23.10.2025 08:37 Last: 23.10.2025 08:37 Sources 1

How related: The vulnerability, tracked as CVE-2025-61932 (CVSS score: 9.3), allows remote attackers to execute arbitrary commands with SYSTEM privileges on on-premise versions of the program.

About this happening: **CVE-2025-61932** is a critical **Motex Lanscope Endpoint Manager** vulnerability that was **actively exploited** as a **zero-day** by **Tick/BRONZE BUTLER** against **on-premise...

Open Happening

Timeline

  1. 31.10.2025 15:26 2 articles · 7mo ago

    Tick exploits CVE-2025-61932 in Motex Lanscope Endpoint Manager

    Initial Disclosure

    Tick is exploiting CVE-2025-61932 in on-premise Motex Lanscope Endpoint Manager systems to execute arbitrary commands with SYSTEM privileges and drop the Gokcpdoor backdoor. JPCERT/CC confirms active abuse of the flaw, and Sophos ties the activity to a cyber espionage campaign associated with Tick, also known as Bronze Butler, Daserf, REDBALDKNIGHT, Stalker Panda, Stalker Taurus, and Swirl Typhoon.

    Show sources
    Open in new tab