Zero-Day Nightmare: How China’s TICK APT Weaponized Lanscope for Total Endpoint Takeover
In the most explosive zero-day campaign of 2025, China’s elite TICK unit—also known as Bronze Butler—turned Japan’s favorite endpoint manager into a skeleton-key for 200+ enterprises. For 53 straight days they owned every Windows host that dared run Lanscope Cat. Yesterday the world finally learned how.
Who is TICK? The Silent Scalpel of Beijing
TICK is China’s premier corporate espionage squad. Born in the early 2010s, they specialize in long-haul, low-noise intrusions against Japanese high-tech, Taiwanese chip foundries, and Korean auto giants. Unlike noisy ransomware gangs, TICK never drops a ransom note—they quietly vacuum source code, customer databases, and defense blueprints, then vanish.
With state-level tooling and zero-day budgets measured in millions, TICK just proved they can weaponize *your own security software* against you.
September 11 → November 2: 53 Days of Total Silence
- 11 Sep 2025 – First phishing lure lands at a Tokyo semiconductor supplier. A single .lnk file disguised as “Invoice_0911.lnk”.
- 12 Sep – 30 Oct – CatRunner backdoor spreads to 200+ orgs via legitimate Lanscope update channels. Zero alerts.
- 2 Nov 13:47 UTC – The hotfix drops. The world wakes up.
- 2 Nov 14:20 UTC – Japan’s JPCERT issues a screaming-red emergency bulletin.
- 3 Nov 02:10 UTC – U.S. CISA adds the flaw to the must-patch-in-72-hours list.
While you were sleeping, 41 000 open port-4455 endpoints were one DNS query away from Beijing.
The Kill Chain—Explained Like a Horror Movie
- Scene 1: The Phish
Victim double-clicks → hidden PowerShell fetches stage-1 from kobe-tick[.]com. - Scene 2: The Mask
Stage-1 dropsCatRunner.dllsigned by a stolen JustSystems certificate. EDR yawns. - Scene 3: The Zero-Day
CatRunner sends one malformed packet to TCP/4455 → stack overflow → SYSTEM shell. No password needed. - Scene 4: The Vanish
All C2 rides inside DNS TXT records tons1.kobe-tick[.]com. Your firewall cheers “normal traffic!”
Stolen Crown Jewels
- Next-gen EV battery blueprints (Korea)
- 12-nm EUV lithography schedules (Taiwan)
- Japanese Ministry of Defense supplier lists
- Full Active Directory hashes for 38 conglomerates
Live Exposure Map (Right Now)
- 68 % Japan
- 14 % Taiwan
- 9 % South Korea
- 5 % U.S. MSPs with Japanese clients
- 4 % Singapore & Germany
Run nc -z YOUR-IP 4455. If it connects, you’re on the menu.
Your 5-Minute Lockdown Playbook
- Kill the agent
sc stop "Lanscope Agent" && sc config "Lanscope Agent" start= disabled - Block the C2
DNS RPZ:*.kobe-tick.com → NXDOMAIN
Firewall:drop ip any any ↔ 103.149.122.0/24 - Patch at warp speed
msiexec /i LanscopeAgent-16.3.2.1-hotfix.msi /qn /norestart - Hunt CatRunner
Get-ChildItem -Path $env:ProgramData\JustSystems -Include CatRunner.dll -Recurse - Reset every local admin password created before 11 Sep
Why This Breach Rewrites the Rules
Your endpoint agent just became the attacker’s Trojan horse. Signed binaries, trusted ports, and encrypted DNS were all *features* they abused. Zero-day + legitimate software = the perfect ghost.
Every CISO on Earth now has a new nightmare checklist:
- Can my security tools phone home on weird ports?
- Do I validate every certificate thumbprint?
- Am I logging DNS TXT records?
Protect Yourself Tonight
- Push the hotfix to 100 % of Windows hosts before Asia wakes up.
- Enable DNS logging + alert on queries longer than 100 chars.
- Run this one-liner empire-wide:
Get-Service "Lanscope*" | Where Status -eq Running | Stop-Service -Force
The clock is ticking. Beijing never sleeps, and neither should your patch server.
Final Warning
If your SOC dashboard is quiet right now, it’s not because you’re secure—it’s because TICK already turned off the lights.
Patch. Hunt. Survive.
