APT 'Bronze Butler' Exploits Zero-Day to Root Japan Orgs

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificA critical security issue in a popular endpoint manager (CVE-2025-61932) allowed Chinese state-sponsored attackers to backdoor Japanese businesses.November 6, 2025A Chinese advanced persistent threat (APT), "Bronze Butler," breached organizations in Japan using a zero-day vulnerability in a locally popular endpoint management tool.The software at issue, "Lanscope," is used by tens of thousands of organizations in Japan. According to one of its distributors, it's deployed by one in every four listed companies, and one in every three financial institutions in the country. It also has limited adoption elsewhere in the Asia-Pacific (APAC) region. Landscape is a unified endpoint management and security platform — a kind of Japanese Ivanti Endpoint Manager (EPM). And that makes it exactly the kind of platform that Chinese threat actors in particular like to exploit the most.Researchers at Sophos recently discovered that in mid-2025, Bronze Butler (a.k.a. Tick, RedBaldKnight, Stalker Panda, Swirl Typhoon) exploited a critical vulnerability in Lanscope when it was still a zero-day. That would have given it essentially unfettered access to organizations across Japan.On Oct. 20, Lanscope developer Motex disclosed a vulnerability designated CVE-2025-61932. The company deemed it "emergency"-level severity with a 9.8 out of 10 rating, according to the Common Vulnerability Scoring System (CVSS).Related:Australian Human Rights Commission Leaks Docs in Data BreachCVE-2025-61932 is a sort of layer cake of missing security checks, each one compounding the next. First off, Lanscope wasn't verifying the origin and legitimacy of incoming requests. That meant that any hacker off the street could connect to any organization's deployment, if they were able to reach it over the Internet to begin with.But it's not just that Lanscope failed to vet incoming connections — it also lacked the barriers necessary to prevent incoming threat actors from running arbitrary code.And the coup de grâce: a missing privilege check. By their nature, endpoint security platforms require system-level privileges on the devices they protect, and if attackers specially crafted incoming requests, they could piggyback off that privilege to run their arbitrary code at the infected device's most sensitive level.It's also worth noting that platforms like Lanscope operate on many, if not all, of an organization's devices. In total, then, a threat actor with zero-day access to CVE-2025-61932 would have been able to do just about anything a hacker could want to their victims.There is good news, though. Motex has released a fix. Also, Lanscope can be deployed in the cloud or on-premises, and Motex announced that CVE-2025-61932 does not affect the cloud version. Rafe Pilling, director of threat intelligence for Sophos, tells Dark Reading that only around 50 to 160 on-premises Lanscope servers were exposed on the Internet at the time of Sophos's publication (the disparity in those numbers, he says, has to do with "how you count them").Related:'Ransomvibing' Infests Visual Studio Extension MarketOn Oct. 22, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61932 to its Known Exploited Vulnerabilities (KEV) catalog.That same day, the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) indicated that domestic organizations may have fallen victim to CVE-2025-61932 since as early as April 2025.Sophos filled in some blanks a week later, revealing that the Bronze Butler group was playing with CVE-2025-61932 far in advance of its public disclosure. Though somewhat less discussed than other Chinese state-linked APTs, Bronze Butler has been around since at least 2010, and it's a reasonable candidate for such a campaign. In 2016, it was found to have exploited a different Japanese asset manager, "SKYSEA Client View."This time, Bronze Butler used Lanscape to deploy its "Gokcpdoor" backdoor and steal undisclosed information from an unknown number of victims. Gokcpdoor is a Go-based program with two main variations: a "server" version, which plants itself on a compromised machine and then waits for an incoming connection from its user; and a "client" version that proactively connects out to the attacker, useful for bypassing security barriers.Related:Sora 2 Makes Videos So Believable, Reality Checks Are RequiredIn some cases, Bronze Butler used the open source (OSS) Havoc command-and-control (C2) tool instead of Gokcpdoor. And in other cases, it used a loader called "OAED" to inject either Gokcpdoor or Havoc into legitimate executables on the target's system. It also used OSS and cloud applications for lateral movement and data exfiltration, including 7-Zip, remote desktop, and file.io. Oddly enough it used LimeWire, the peer-to-peer (P2P) filesharing platform, possibly for exfiltration.Overall, Chinese threat activity of this kind is pretty much par for the course for Japanese organizations. "Japan faces many of the same cyber threats seen in Western nations, but its landscape is shaped more directly by regional geopolitics and industry profiles," Pilling notes. "State-sponsored actors predominantly from China and North Korea target Japanese government agencies, defense contractors, and technology-driven companies for espionage and intellectual-property theft."Read more about:Nate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.