Tick, a suspected Chinese cyberespionage actor, is also referred to as Bronze Butler, Daserf, REDBALDKNIGHT, Stalker Panda, and Stalker Taurus. It is well-known for its widespread targeting of East Asia, particularly Japan. Remote attackers can run arbitrary commands with SYSTEM privileges on on-premise versions of the program thanks to a vulnerability known as CVE-2025-61932 (CVSS score:

9.3).

Tick has previously been seen using a zero-day vulnerability in its attack campaigns. The hacking group used an unpatched remote code execution vulnerability (CVE-2016-7836) in SKYSEA Client View, a Japanese IT asset management program, to compromise computers and steal data, according to information released by Sophos-owned Secureworks in October

2017.

According to Sophos CTU, "other threat actors may seek to exploit this vulnerability since it is now publicly disclosed." The cybersecurity firm stated in a report that "organizations should also review internet-facing Lanscope servers that have the Lanscopes client program (MR) or detection agent (DA) installed to determine if there is a business need for them to be publicly exposed." "We're aware of very targeted activity in Japan and believe the exploitation by Bronze Butler was limited to sectors aligned with their intelligence objectives," SophosCTU's director of threat intelligence, Rafe Pilling, told The Hacker News. The deployment of the Havoc post-exploitation framework on specific systems and the infection chains' reliance on DLL side-loading to initiate a DLL loader called OAED Loader to inject the payloads are further characteristics of the attack.