BRONZE BUTLER Exploits Japanese Asset Management Software Vulnerability

    Friday, October 31, 2025 In: Threat Research Print

    Date: 10/31/2025

    Severity: High

    Summary

    In mid-2025, researchers identified a sophisticated BRONZE BUTLER campaign that leveraged a zero-day vulnerability in Motex LANSCOPE Endpoint Manager to exfiltrate sensitive data. The Chinese state-sponsored BRONZE BUTLER group—also known as Tick—has been active since 2010 and previously exploited a zero-day flaw in the Japanese asset management software SKYSEA Client View in 2016. On October 22, 2025, JPCERT/CC issued an advisory regarding the LANSCOPE vulnerability. Investigators confirmed that the threat actors achieved initial access by exploiting CVE-2025-61932, a flaw enabling remote attackers to execute arbitrary commands with SYSTEM privileges. While CTU analysis indicates that few internet-facing devices are affected, attackers could still exploit vulnerable systems within compromised networks to escalate privileges and move laterally.

    Indicators of Compromise (IOC) List

    IP Address : 

    38.54.56.57

    38.54.88.172

    38.54.56.10

    38.60.212.85

    108.61.161.118

    Hash : 

    932c91020b74aaa7ffc687e21da0119c

    be75458b489468e0acdea6ebbb424bc898b3db29

    3c96c1a9b3751339390be9d7a5c3694df46212fb97ebddc074547c2338a4c7ba

    4946b0de3b705878c514e2eead096e1e

    1406b4e905c65ba1599eb9c619c196fa5e1c3bf7

    9e581d0506d2f6ec39226f052a58bc5a020ebc81ae539fa3a6b7fc0db1b94946

    8124940a41d4b7608eada0d2b546b73c010e30b1

    704e697441c0af67423458a99f30318c57f1a81c4146beb4dd1a88a88a8c97c3

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query  1:

    dstipaddress IN ("108.61.161.118","38.60.212.85","38.54.56.10","38.54.56.57","38.54.88.172") or srcipaddress IN ("108.61.161.118","38.60.212.85","38.54.56.10","38.54.56.57","38.54.88.172")

    Detection Query  2:

    md5hash IN ("932c91020b74aaa7ffc687e21da0119c","4946b0de3b705878c514e2eead096e1e")

    Detection Query  3:

    sha1hash IN ("1406b4e905c65ba1599eb9c619c196fa5e1c3bf7","be75458b489468e0acdea6ebbb424bc898b3db29","8124940a41d4b7608eada0d2b546b73c010e30b1")

    Detection Query  4:

    sha256hash IN ("3c96c1a9b3751339390be9d7a5c3694df46212fb97ebddc074547c2338a4c7ba","9e581d0506d2f6ec39226f052a58bc5a020ebc81ae539fa3a6b7fc0db1b94946","704e697441c0af67423458a99f30318c57f1a81c4146beb4dd1a88a88a8c97c3")

    Reference:

    https://news.sophos.com/en-us/2025/10/30/bronze-butler-exploits-japanese-asset-management-software-vulnerability/


    Tags

    LANSCOPEExploitExfiltrationChinaJapanThreat ActorVulnerabilityCVE-2025BRONZE BUTLERZero-day

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.