Threat analysis by The RabitaNoor (RBTN) Cyber Research Center
Motex Lanscope Flaw Exploited by Tick Group to Deploy Gokcpdoor
The goals of this document is to provide technical and strategic analysis of a much larger document, audio etc.
The document is a product of the RBTN - CYOI Pulpit
Photo by Yeshi Kangrang
Document Summary
The cyber incident involves a suspected Chinese cyber espionage actor known as Tick exploiting a critical security flaw in Motex Lanscope Endpoint Manager (CVE-2025-61932) to deploy a backdoor called Gokcpdoor. The vulnerability, with a CVSS score of 9.3, was recently disclosed and quickly leveraged by the attackers to infiltrate target networks. Sophos reported that the campaign was limited to sectors aligned with the adversary's intelligence objectives. The incident highlights the rapid exploitation of new vulnerabilities and the need for timely patching to prevent breaches. The attack underscores the importance of zero trust and AI in cybersecurity, as traditional firewalls and VPNs are increasingly ineffective against AI-powered attacks.
Analysis
Overview
Timestamp: 2025-11-03
Title: Motex Lanscope Flaw Exploited by Tick Group to Deploy Gokcpdoor
Severity: Critical
The incident involves the Tick group, a suspected Chinese cyber espionage actor, exploiting a critical vulnerability in Motex Lanscope Endpoint Manager to deploy the Gokcpdoor backdoor. The adversary's capability includes exploiting vulnerabilities and deploying malware for espionage purposes. The infrastructure details are limited, but the attack targeted sectors aligned with the adversary's intelligence objectives.
Adversary
Adversary: The Tick group is a suspected Chinese cyber espionage actor known for targeting sectors aligned with their intelligence objectives.
Motivation: Espionage
Sophistication: High
TTPs:
- Exploitation of vulnerabilities
- Deployment of backdoors
Capability
Capability: The adversary exploited a critical vulnerability in Motex Lanscope to deploy the Gokcpdoor backdoor.
Tools: Gokcpdoor
Infrastructure
Description: The infrastructure used by the adversary is not detailed, but likely involves compromised networks and C2 servers.
Victim Profile
Targets: The campaign targeted sectors aligned with the adversary's intelligence objectives.
Industry: Unknown
Assets: Networks, Endpoint Managers
Data at Risk: Intelligence data
Impact: High