APT 'Bronze Butler' Exploits Zero-Day to Root Japan Orgs - Dark Reading

Application SecurityVulnerabilities & ThreatsCyber RiskEndpoint SecurityNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificAPT 'Bronze Butler' Exploits Zero-Day to Root Japan OrgsA critical security issue in a popular endpoint manager (CVE-2025-61932) allowed Chinese state-sponsored attackers to backdoor Japanese businesses.Nate Nelson,Contributing WriterNovember 6, 20254 Min ReadSource: Steve Cukrov via Alamy Stock PhotoA Chinese advanced persistent threat (APT), "Bronze Butler," breached organizations in Japan using a zero-day vulnerability in a locally popular endpoint management tool.The software at issue, "Lanscope," is used by tens of thousands of organizations in Japan. According to one of its distributors, it's deployed by one in every four listed companies, and one in every three financial institutions in the country. It also has limited adoption elsewhere in the Asia-Pacific (APAC) region. Landscape is a unified endpoint management and security platform — a kind of Japanese Ivanti Endpoint Manager (EPM). And that makes it exactly the kind of platform that Chinese threat actors in particular like to exploit the most.Researchers at Sophos recently discovered that in mid-2025, Bronze Butler (a.k.a. Tick, RedBaldKnight, Stalker Panda, Swirl Typhoon) exploited a critical vulnerability in Lanscope when it was still a zero-day. That would have given it essentially unfettered access to organizations across Japan.Related:Cyberattack on Mexico's Gov't Agencies Highlight AI ThreatCVE-2025-61932: Critical Bug in an Endpoint ManagerOn Oct. 20, Lanscope developer Motex disclosed a vulnerability designated CVE-2025-61932. The company deemed it "emergency"-level severity with a 9.8 out of 10 rating, according to the Common Vulnerability Scoring System (CVSS).CVE-2025-61932 is a sort of layer cake of missing security checks, each one compounding the next. First off, Lanscope wasn't verifying the origin and legitimacy of incoming requests. That meant that any hacker off the street could connect to any organization's deployment, if they were able to reach it over the Internet to begin with.But it's not just that Lanscope failed to vet incoming connections — it also lacked the barriers necessary to prevent incoming threat actors from running arbitrary code.And the coup de grâce: a missing privilege check. By their nature, endpoint security platforms require system-level privileges on the devices they protect, and if attackers specially crafted incoming requests, they could piggyback off that privilege to run their arbitrary code at the infected device's most sensitive level.It's also worth noting that platforms like Lanscope operate on many, if not all, of an organization's devices. In total, then, a threat actor with zero-day access to CVE-2025-61932 would have been able to do just about anything a hacker could want to their victims.There is good news, though. Motex has released a fix. Also, Lanscope can be deployed in the cloud or on-premises, and Motex announced that CVE-2025-61932 does not affect the cloud version. Rafe Pilling, director of threat intelligence for Sophos, tells Dark Reading that only around 50 to 160 on-premises Lanscope servers were exposed on the Internet at the time of Sophos's publication (the disparity in those numbers, he says, has to do with "how you count them").Related:LINE Messaging Bugs Open Asian Users to Cyber EspionageChina Attacks & Hacks Japanese CompaniesOn Oct. 22, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61932 to its Known Exploited Vulnerabilities (KEV) catalog.That same day, the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) indicated that domestic organizations may have fallen victim to CVE-2025-61932 since as early as April 2025.Sophos filled in some blanks a week later, revealing that the Bronze Butler group was playing with CVE-2025-61932 far in advance of its public disclosure. Though somewhat less discussed than other Chinese state-linked APTs, Bronze Butler has been around since at least 2010, and it's a reasonable candidate for such a campaign. In 2016, it was found to have exploited a different Japanese asset manager, "SKYSEA Client View."This time, Bronze Butler used Lanscape to deploy its "Gokcpdoor" backdoor and steal undisclosed information from an unknown number of victims. Gokcpdoor is a Go-based program with two main variations: a "server" version, which plants itself on a compromised machine and then waits for an incoming connection from its user; and a "client" version that proactively connects out to the attacker, useful for bypassing security barriers.Related:AI-Powered Dependency Decisions Introduce, Ignore Security BugsIn some cases, Bronze Butler used the open source (OSS) Havoc command-and-control (C2) tool instead of Gokcpdoor. And in other cases, it used a loader called "OAED" to inject either Gokcpdoor or Havoc into legitimate executables on the target's system. It also used OSS and cloud applications for lateral movement and data exfiltration, including 7-Zip, remote desktop, and file.io. Oddly enough it used LimeWire, the peer-to-peer (P2P) filesharing platform, possibly for exfiltration.Overall, Chinese threat activity of this kind is pretty much par for the course for Japanese organizations. "Japan faces many of the same cyber threats seen in Western nations, but its landscape is shaped more directly by regional geopolitics and industry profiles," Pilling notes. "State-sponsored actors predominantly from China and North Korea target Japanese government agencies, defense contractors, and technology-driven companies for espionage and intellectual-property theft."Read more about:DR Global Asia PacificAbout the AuthorNate NelsonContributing WriterNate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportCybersecurity Forecast 2026The ROI of AI in SecurityThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space