Introduction
In a recent wave of cyber intrusions, a Chinese-speaking threat group identified as UAT-6382 has been associated with exploiting a critical vulnerability in Trimble Cityworks, a GIS-centric asset management solution. The attackers leveraged this flaw to deliver advanced post-exploitation tools such as Cobalt Strike and VShell, posing a significant threat to municipal infrastructure and utility management systems in the United States. This article delves into the technical aspects of the attack, tools used, and its broader implications.
Exploitation of Trimble Cityworks Vulnerability
The vulnerability in question, tracked as CVE-2025-0944 and carrying a CVSS score of 8.6, involves the deserialization of untrusted data, which allows for remote code execution. This flaw, once exploited, enables attackers to gain initial access to vulnerable systems. The issue has since been patched, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to the Known Exploited Vulnerabilities (KEV) catalog in February 2025.
According to Cisco Talos researchers Asheer Malhotra and Brandon White, the exploitation campaign began in January 2025, targeting the enterprise networks of local government entities across the United States. Upon successful exploitation, the threat actor rapidly executed reconnaissance activities and deployed a series of web shells and custom malware to maintain persistent access.
Attack Methods and Malware Deployment
Once access was obtained, UAT-6382 exhibited a clear interest in systems related to utility management. The attackers initiated a reconnaissance phase, identifying directories and files of interest on compromised servers. Web shells such as AntSword, Chopper (also known as chinatso), and Behinder—commonly used by Chinese threat actors—were deployed to facilitate remote access and control.
Additionally, the group staged the stolen files in accessible directories for exfiltration and executed a variety of backdoors using PowerShell scripts. This multilayered approach enabled them to maintain a persistent foothold and carry out advanced operations with relative ease.
Use of TetraLoader and Custom Tooling
Cisco Talos identified a Rust-based malware loader, dubbed TetraLoader, which was utilized to deploy Cobalt Strike and a Go-based remote access tool named VShell. TetraLoader is reportedly built using MaLoader, an open-source malware development framework written in Simplified Chinese and first seen on GitHub in December 2024. This indicates a high level of technical sophistication and resourcefulness, with UAT-6382 leveraging publicly available tools to create customized and robust attack frameworks.
Conclusion
The activities of UAT-6382 highlight the persistent and evolving threat posed by state-affiliated or state-tolerated actors targeting critical infrastructure. By exploiting known vulnerabilities such as CVE-2025-0944, attackers can establish long-term access to sensitive systems, jeopardizing both data integrity and public safety. Organizations using Trimble Cityworks and similar platforms must prioritize patch management, monitor for indicators of compromise, and implement layered defenses to thwart such advanced threats.
The incident underscores the importance of international collaboration in cybersecurity and the urgent need for proactive vulnerability management across public sector networks.
0 Comments