Lanscope Flaw Exploited as Zero-Day in Targeted Attacks

Security researchers uncovered targeted attacks that exploited a Lanscope flaw as a zero-day, allowing China-linked hackers to breach networks and deploy custom backdoors. The campaign focused on organisations running Motex Lanscope Endpoint Manager and highlights the ongoing risk posed by unpatched enterprise software. The vulnerability provided administrative control without authentication, creating a direct path to system takeover.

Vulnerability Overview

The Lanscope flaw affects older versions of the Lanscope Endpoint Manager platform. It allows remote code execution through crafted requests that bypass authentication entirely. Once triggered, the attacker receives full SYSTEM-level privileges. That access grants control over the device, lateral movement opportunities and visibility into internal systems.

The vendor released a patch shortly after exploitation came to light. Security teams later confirmed that attacks began days before the fix became available. That timing underscores how quickly threat actors move when they discover a high-value vulnerability.

Who Is Behind the Attacks

Analysis linked the campaign to a known Chinese state-aligned group often called Tick, also known as Bronze Butler. This group historically targets East Asian and global enterprise networks. Their operations typically focus on intelligence gathering, long-term persistence and stealth.

In this case, they used the Lanscope flaw to deploy Gokcpdoor, a custom backdoor. The malware established covert communication channels and allowed remote control. Recent variants include updated multiplexing features and a shift away from earlier communication protocols. Attackers also used sideloading techniques combined with legitimate executables to avoid detection.

How Attackers Operated

The intrusion chain followed a familiar pattern: exploit the Lanscope flaw, drop a loader, deploy the backdoor and begin command-and-control activity. Once inside, the attackers could create hidden access, monitor network activity and exfiltrate sensitive information.

Because the backdoor blends in with legitimate processes, many environments may not notice it without targeted hunting. Security teams have seen persistent command channels, disguised scheduled tasks and traffic on high-risk ports used for covert communication.

Mitigation Steps

Organisations running Lanscope should act quickly. Recommended actions include:

• Install the latest vendor patch immediately
• Audit all Lanscope instances across the network
• Check for unknown scheduled tasks or new administrator accounts
• Scan for suspicious binaries and sideloaded modules
• Review logs for unusual outbound traffic patterns
• Restrict external access to management interfaces
• Segment device-management tools from public-facing networks

Rebooting after patching helps remove dormant malware that hides in memory, but only works if attackers cannot re-enter through the same flaw.

Conclusion

The Lanscope flaw shows how quickly advanced groups act when they find a valuable opening. With credential-free access and direct system control, the vulnerability created a serious threat for organisations using older versions of the platform. Patching, log review and network hardening remain essential to shutting down these intrusions and preventing long-term compromise. Remaining proactive ensures attackers cannot maintain persistence or quietly expand their footprint.