A China-linked threat actor exploited a Trimble Cityworks zero-day vulnerability in attacks against local government entities in the US, Cisco Talos reports.
Tracked as CVE-2025-0994 (CVSS score of 8.6) and patched in late January, the security defect is described as a deserialization flaw leading to remote code execution (RCE) against customers’ Microsoft Internet Information Services (IIS) web servers.
A GIS-centric solution, Cityworks is used by critical infrastructure organizations, including local governments and utilities, to manage and maintain infrastructure.
In February, CISA added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog and released an industrial control systems (ICS) advisory, noting that the bug’s exploitation requires authentication.
Trimble published indicators of compromise (IoCs) showing that the zero-day had been exploited to deploy Cobalt Strike implants and various malware families, but neither Trimble nor CISA shared details on who was responsible for the observed attacks.
Now, Talos reveals that a Chinese threat actor tracked as UAT-6382 has been exploiting the zero-day since January 2025, targeting the “enterprise networks of local governing bodies” in the US. The identified IoCs overlap with those shared by Trimble.
The hackers were seen performing reconnaissance, deploying webshells and malware for persistence, and attempting to pivot to systems related to utilities management.
As part of the attacks, the threat actor deployed multiple variants of the AntSword webshell, along with Chinatso, Behinder, and various generic file uploaders, they enumerated specific folders to identify files of interest for exfiltration, and deployed multiple backdoors via PowerShell.
UAT-6382 used a Rust-based loader dubbed TetraLoader to fetch and execute Cobalt Strike beacons and a stager to deploy VShell, a GoLang-based implant that provides remote access capabilities, including file management, command execution, screen grabbing, and proxy establishment.
Chinese messages in the identified webshells, the use of the Chinese malware builder MaLoader to create TetraLoader, hands-on-keyboard activity and victimology, and other artefacts suggest that UAT-6382 is a Chinese-speaking group, Talos says.
Related: Chinese APT’s Adversary-in-the-Middle Tool Dissected
Related: Chinese APT Mustang Panda Updates, Expands Arsenal
Related: Chinese APT Weaver Ant Targeting Telecom Providers in Asia
