Gokcpdoor
Gokcpdoor is a Go-based backdoor used by the China-linked cyber-espionage group Bronze Butler, also known as Tick. In mid-2025 campaigns targeting organizations in Japan, the group exploited the Motex Lanscope Endpoint Manager zero-day CVE-2025-61932 to deploy updated Gokcpdoor samples and steal confidential or undisclosed information. The malware is described as capable of establishing a proxy connection with a remote command-and-control server and executing malicious commands on compromised hosts.
Reported 2025 Gokcpdoor variants include both a server-type and a client-type implementation. The server variant listens for incoming client connections, with observed samples using ports 38000 and 38002. The client variant initiates outbound connections to hard-coded C2 servers to establish a covert communication tunnel and function as a backdoor, which can help bypass security barriers. Sophos reported that the newest observed version dropped support for the KCP protocol and added multiplexed C2 communications using the smux library.
In the observed intrusion chain, Gokcpdoor was loaded via OAED Loader and injected into legitimate executables using DLL side-loading for evasion. In some intrusions, the threat actor used the Havoc C2 framework instead of Gokcpdoor. Associated post-compromise activity included use of goddi for Active Directory information dumping, Remote Desktop through a backdoor tunnel, and 7-Zip for exfiltration. The actors were also observed accessing io, LimeWire, and Piping Server via browser sessions during remote desktop activity for data exfiltration.
High-confidence indicators directly mentioned in the content include a Gokcpdoor sample masquerading as oci.dll with MD5 932c91020b74aaa7ffc687e21da0119c and SHA-256 3c96c1a9b3751339390be9d7a5c3694df46212fb97ebddc074547c2338a4c7ba.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In the 2025 campaign, CTU™ researchers confirmed that the threat actors gained initial access by exploiting CVE-2025-61932. This vulnerability allows remote attackers to execute arbitrary commands with SYSTEM privileges. ... CISA added CVE-2025-61932 to the Known Exploited Vulnerabilities Catalog on October 22.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...exploitation of CVE-2025-61932 to deliver a known backdoor referred to as Gokcpdoor that can establish a proxy connection with a remote server and act as a backdoor to execute malicious commands on the compromised host.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueIntrusions harnessing the critical request origin verification vulnerability in Motex Lanscope Endpoint Manager, tracked as CVE-2025-61932, as a zero-day have been launched by China-linked cyberespionage operation Bronze Butler, also known as Tick, to spread an updated Gokcpdoor malware
Command and Control
2 techniquesMultiplexed command-and-control communication support has been integrated into the latest version of the Gokcpdoor malware
Multiplexed command-and-control communication support has been integrated into the latest version of the Gokcpdoor malware
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Go-based backdoor used for remote access. Observed in both a server-style implant that waits for inbound operator connections and a client-style implant that beacons outbound to the attacker to bypass network/security barriers.
Gokcpdoor is a backdoor malware used for cyberespionage, featuring multiplexed command-and-control communication and both server and client variants for persistent access and control.
Backdoor malware deployed by the Tick threat actor for cyber espionage, used to infiltrate networks via exploitation of a Lanscope vulnerability.
Backdoor used by Bronze Butler/Tick, deployed via exploitation of Motex Lanscope Endpoint Manager (CVE-2025-61932). It establishes a proxy connection to attacker C2 infrastructure; the latest version drops KCP protocol support and adds multiplexed C2 communication. Observed as both a server component (listening on ports 38000/38002) and a client component that connects to hard-coded C2 addresses.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.