OAED Loader
OAED Loader is a DLL loader used in intrusion chains attributed to the China-linked cyber-espionage group Tick, also known as Bronze Butler. In the reported mid-2025 campaigns exploiting Motex LANSCOPE Endpoint Manager vulnerability CVE-2025-61932, OAED Loader was used in all observed instances to load the final payload and inject it into legitimate executables via DLL side-loading for evasion. The malware injects a payload into a legitimate executable according to its embedded configuration and was observed with both Gokcpdoor and, in some cases, Havoc-related samples to complicate execution flow. The broader activity targeted LANSCOPE environments and was associated with theft of confidential information, with post-exploitation activity including Active Directory data collection, remote access, and exfiltration through cloud services. No standalone infection vector, persistence mechanism, or specific OAED Loader file indicators were provided in the content beyond its role as a DLL loader and payload injector in this campaign.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
China-linked cyber-espionage actors tracked as 'Bronze Butler' (Tick) exploited a Motex Lanscope Endpoint Manager vulnerability as a zero-day... The flaw exploited in these attacks is CVE-2025-61932, a critical request origin verification flaw impacting Motex Lanscope Endpoint Manager versions 9.4.7.2 and earlier. It enables unauthenticated attackers to execute arbitrary code on the target with SYSTEM privileges via specially crafted packets.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Some Gokcpdoor and Havoc samples used the OAED Loader malware... This malware injects a payload into a legitimate executable according to its embedded configuration.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
OAED Loader is a loader malware used to deliver final payloads and employs DLL side-loading for covert injection into legitimate executables.
Loader used to load the final payload and inject it into legitimate executables, leveraging DLL sideloading for evasion.
DLL loader used in the infection chain via DLL side-loading to inject payloads on compromised systems.
Loader/injector used to complicate execution flow by injecting a payload into a legitimate executable based on embedded configuration; used alongside Gokcpdoor and Havoc in this campaign.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.