A sophisticated cyber espionage campaign has been attributed to the China-linked threat actor known as Tick. The group is actively exploiting a critical zero-day vulnerability in Motex Lanscope Endpoint Manager to compromise corporate systems. This activity follows the recent disclosure of the security flaw, which affects on-premise versions of the program and allows for complete system takeover.

CVE-2025-61932: A Critical Remote Execution Flaw

The vulnerability at the center of this campaign is tracked as CVE-2025-61932 and has been assigned a critical CVSS score of 9.3. This security defect allows remote attackers to execute arbitrary commands with SYSTEM-level privileges on targeted servers. The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) issued an alert confirming it has received reports of active abuse. The exploit is being used as an initial access vector to breach networks and deploy malicious payloads.

Tick Group’s Campaign and Gokcpdoor Backdoor

The threat actor, Tick, has a long history of operations, with activity dating back to at least 2006. The group is also identified by several other names, including Bronze Butler, REDBALDKNIGHT, and Stalker Panda. Its primary focus has historically been on targets in East Asia, particularly in Japan. In the campaign observed by security firm Sophos, the Tick group exploited CVE-2025-61932 to deliver a known backdoor called Gokcpdoor. This malware is designed to establish a persistent proxy connection with a remote command-and-control server, allowing the attackers to maintain access and control over the compromised system.