Cyberdudebivash

Chinese APT BRONZE BUTLER Actively Exploiting LANSCOPE Zero-Day for SYSTEM-Level Access.

, , , ,
CYBERDUDEBIVASH

Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related:cyberbivash.blogspot.com

CISO Briefing: Chinese APT BRONZE BUTLER Actively Exploiting LANSCOPE Zero-Day for SYSTEM-Level Access — by CyberDudeBivash

By CyberDudeBivash · 01 Nov 2025 · cyberdudebivash.com · Intel on cyberbivash.blogspot.com

LinkedIn: ThreatWirecryptobivash.code.blog

APT THREAT • ZERO-DAY • LANSCOPE • EDR BYPASS

Situation: This is a CISO-level zero-day warning. The Chinese state-sponsored APT (Advanced Persistent Threat) group BRONZE BUTLER (aka Tick, RedDevils) is actively exploiting an unpatched zero-day vulnerability in LANSCOPE IT asset management tools. This is a “trusted agent” attack, allowing the APT to gain `NT AUTHORITY\SYSTEM` privileges by *using your own security software against you*.

This is a decision-grade brief for CISOs, IT Directors, and SecOps leaders. This is the definition of a “nightmare scenario.” Your Endpoint Detection and Response (EDR) is likely *whitelisting* the LANSCOPE agent, making this attack completely invisible. The attacker is using your trusted IT management tool as a fileless malware loader and a C2 proxy for corporate espionage.

TL;DR — A Chinese APT is using a zero-day in LANSCOPE (your IT tool) to become `SYSTEM` (God mode).

  • The Attacker: BRONZE BUTLER (Chinese APT), a sophisticated cyber-espionage group.
  • The Target: LANSCOPE IT Asset Management software, which runs as `SYSTEM`.
  • The Flaw: An unpatched zero-day (no CVE yet) that allows Local Privilege Escalation (LPE).
  • The Impact: An attacker with *any* low-level foothold (e.g., web shell) can use this exploit to take full control of the server.
  • The TTP (The Nightmare): The attacker uses the *trusted, signed LANSCOPE agent* to run their commands. Your EDR is blind because it’s configured to trust LANSCOPE.
  • THE ACTION: You *cannot* patch. This is a THREAT HUNTING & INCIDENT RESPONSE emergency. You must *hunt* for the TTPs and *contain* the threat now.

Contents

Phase 1: The Attacker & The Target (Why This is a Perfect Storm)

This attack is so effective because it pairs a sophisticated attacker with a perfect target.

The Attacker: BRONZE BUTLER (aka Tick, RedDevils)

This is not a script-kiddie ransomware group. BRONZE BUTLER is a top-tier Chinese-nexus APT. Their motives are political and economic espionage. They hunt for intellectual property, strategic plans, and government secrets. They are patient, well-funded, and build custom malware for their targets. They *specialize* in bypassing EDR and “Living off the Land” (LotL).

The Target: LANSCOPE (The “Trusted Agent”)

LANSCOPE is an IT asset management and security suite, similar to tools like Tanium or Ivanti. By design, its agent is installed on *every* endpoint and server. And by design, it runs with the *highest possible privileges* (`NT AUTHORITY\SYSTEM`).

This makes it the perfect target for an attacker. Why fight the EDR when you can *become* the EDR? By exploiting a zero-day in the LANSCOPE agent, the attacker doesn’t just bypass security; they *hijack* it. This is a form of internal supply chain attack.

Phase 2: The Kill Chain (From Foothold to SYSTEM-Level Espionage)

This zero-day is not an “initial access” tool. It’s a Local Privilege Escalation (LPE) exploit. This means the attacker is *already* on one of your machines with a low-privilege account. Here is the kill chain our CyberDudeBivash team has analyzed.

Stage 1: Initial Access (The Foothold)

The attacker gets onto one of your servers as a low-privilege user. This could be from:

  • A vulnerable web application (e.g., a known bug in a WordPress plugin or Joomla component) giving them a `www-data` shell.
  • A successful spear-phishing attack on an employee.
  • An exposed service with weak, guessable credentials.

At this point, they are “jailed.” They can’t do much. But they can *see* that LANSCOPE is installed.

Stage 2: Privilege Escalation (The Zero-Day)

The attacker uploads their LANSCOPE zero-day exploit. They run it. The exploit targets the LANSCOPE agent process (which is running as `SYSTEM`) and leverages the unpatched flaw (likely a buffer overflow or UAF) to execute their own code *within the context of that trusted agent*. The exploit spawns a new shell. This shell has one difference: its user is `NT AUTHORITY\SYSTEM`.

Stage 3: Defense Evasion & C2

This is the most critical stage. The attacker is now `SYSTEM`. They *could* just run Mimikatz and dump all your domain credentials. But they are smarter. They want *stealth*.
Instead, they use the *LANSCOPE agent itself* as their malware.

  • They use LANSCOPE’s *own functions* (which are whitelisted) to deploy their spyware.
  • They use LANSCOPE’s *own network channel* (which is whitelisted) to beacon out to their Command & Control (C2) server.
  • They use LANSCOPE’s *own agent* to *disable other EDRs*. For example: `lanscope_agent.exe –run “systemctl stop kaspersky.service”`.

Service Note: This is an Incident Response nightmare. The attacker is “Living off the Trusted Land.” The logs all look “normal.” You can’t find them by looking for “bad” processes. You can *only* find them by hunting for “normal” processes acting abnormally. This requires a 24/7 Managed Detection & Response (MDR) team.
Explore Our 24/7 MDR Service →

Phase 3: Why Your EDR is Blind (The “Trusted Agent” Bypass)

This TTP is designed *specifically* to defeat your Endpoint Detection and Response (EDR). Your security team and your EDR vendor have spent months creating a “whitelist” or “allowlist” of trusted software. What’s at the top of that list? Your *other* security and IT management tools.

Your EDR is configured to trust LANSCOPE.

It sees `lanscope_agent.exe` (a signed, trusted binary) running. It sees it spawning `powershell.exe` or `cmd.exe`. It sees it making network connections. But your EDR is programmed to *ignore* this, because this is *normal* behavior for an IT asset management tool.

This exploit hijacks that trusted process. The attacker’s malicious C2 traffic is now “wrapped” inside the legitimate, trusted LANSCOPE network traffic. Your firewall and EDR are completely blind. This is a total EDR bypass.

The Emergency “Hunt & Contain” Plan (You CANNOT Patch)

This is a zero-day. There is no patch. You cannot call your IT team and tell them to “update.” Your *only* defense is to assume you are breached and start threat hunting.

Step 1: Hunt the Behavior (The *only* signal)

You must hunt for the *anomalous* behavior of the *trusted* agent. Your SecOps team or MDR provider must immediately start hunting for these TTPs:

  • IOC 1 (Process Chain): Look for `lanscope_agent.exe` (or its child processes) spawning unusual, interactive processes.
    • `lanscope_agent.exe` → `cmd.exe`
    • `lanscope_agent.exe` → `powershell.exe -e …` (obfuscated command)
    • `lanscope_agent.exe` → `whoami.exe`, `net.exe`, `ipconfig.exe` (reconnaissance)
  • IOC 2 (Network): Look for `lanscope_agent.exe` making network connections to *new, unknown, or suspicious IP addresses or domains*. Compare this against a baseline of “normal” LANSCOPE C2 traffic. Anything else is a C2 beacon.
  • IOC 3 (Defense Evasion): Look for `lanscope_agent.exe` interacting with *other* security services (e.g., trying to stop your EDR service, trying to delete logs).

Step 2: Contain & Mitigate

If you get a “hit” on one of those hunts, you are in active Incident Response.

  1. Contain: *Immediately* isolate the host from the network.
  2. Investigate: Perform digital forensics. Capture memory and disk. Identify the full kill chain.
  3. Mitigate (The Hard Choice): Until LANSCOPE issues a patch, your only mitigation is to either *uninstall the LANSCOPE agent* from critical servers (accepting the loss of visibility) or apply *extremely strict* EDR rules to block *all* child processes from the agent, which may break its legitimate functions.

This is not a theoretical exercise. This is a “call your IR provider” moment.
This “hunt” is complex and time-sensitive. If you are not 100% confident in your ability to hunt for these TTPs 24/7, you are exposed. Our CyberDudeBivash 24/7 IR team is on standby. We can deploy our tools *today* to hunt for this exact APT activity in your network.
Book Our 24/7 Incident Response Hotline →

Recommended by CyberDudeBivash (Partner Links)

You need a modern, behavioral-focused stack. Here’s what we recommend for this specific problem.

Kaspersky EDR
This is the *only* way to catch this attack. You *must* have a strong behavioral EDR that can log and alert on anomalous *child processes* of trusted agents.Edureka — Incident Response Training
Train your SecOps team on Threat Hunting and Incident Response *now*. They need to know how to hunt for TTPs, not just respond to alerts.TurboVPN
Secure your admin access. The initial foothold often comes from an exposed RDP/SSH. Lock it down.

Alibaba Cloud (Global)
Host your critical servers in a secure, cloud-native environment with strong network segmentation.AliExpress (Global)
Get your IR hardware: FIDO2/YubiKey hardware keys to protect your *own* admin accounts, drive imagers, etc.Rewardful
If you’re building a security product, run your partner program on Rewardful. We do.

CyberDudeBivash Services & Apps

We don’t just report on these threats. We hunt them. We are the expert team you call when a nation-state APT bypasses your tools. We find the blind spots.

  • Emergency Incident Response (IR): Our 24/7 team will deploy to your environment, hunt for this *exact* TTP, and eradicate the threat.
  • Managed Detection & Response (MDR): Our 24/7 SecOps team becomes your “human sensor,” hunting for these TTPs (like LANSCOPE anomalies) in your EDR logs.
  • Adversary Simulation (Red Team): We will simulate this *exact* “Trusted Agent” bypass attack to prove if your EDR and team can detect it.
  • PhishRadar AI & SessionShield: Our apps to protect the *initial access* vectors—the phishing emails and session hijacks that lead to this.
  • Threat Analyser GUI: Our internal dashboard for log correlation & IR.

Book 24/7 Incident ResponseExplore 24/7 MDR ServicesSubscribe to ThreatWire

FAQ

Q: What is a “Trusted Agent” or “Living off the Trusted Land” (LotL) attack?
A: It’s an attack where the adversary uses *your own legitimate, trusted software* against you. They don’t use “malware.exe.” They use “powershell.exe,” “wmic.exe,” or in this case, “lanscope_agent.exe.” It’s incredibly effective at bypassing security that only looks for “known-bad” files.

Q: We don’t use LANSCOPE. Are we safe?
A: You are safe from *this specific* zero-day. You are *not* safe from the *TTP*. This same attack chain is used against other IT management and security tools (e.g., Ivanti, ManageEngine, other RMMs). The lesson is: any agent running as SYSTEM is a target. You must have behavioral monitoring on *all* of them.

Q: How do I patch this LANSCOPE zero-day?
A: You can’t. That’s what “zero-day” means. The vendor (LANSCOPE) has not released a patch yet. This is why you *must* shift from a “patching” mindset to a “threat hunting” mindset. You have to find the *behavior* of the exploit, not just patch the flaw.

Q: How do I start threat hunting? My team is swamped.
A: You can’t do “part-time” threat hunting. It’s a 24/7 job. This is why our Managed Detection & Response (MDR) service exists. Our 24/7 global SOC team becomes your threat hunters, watching your logs for these TTPs, so your team can sleep.

Next Reads

Affiliate Disclosure: We may earn commissions from partner links at no extra cost to you. These are tools we use and trust. Opinions are independent.

CyberDudeBivash — Global Cybersecurity Apps, Services & Threat Intelligence.

cyberdudebivash.com · cyberbivash.blogspot.com · cryptobivash.code.blog

#BRONZEBUTLER #APT #ZeroDay #LANSCOPE #LPE #SYSTEM #EDRBypass #MDR #IncidentResponse #CyberDudeBivash #ThreatHunting #LotL #CyberEspionage

Leave a comment

Design a site like this with WordPress.com
Get started