A sophisticated Chinese-speaking hacking group, tracked as UAT-6382, has been linked to active exploitation of a critical vulnerability in Trimble Cityworks software. The attackers leveraged the now-patched flaw, CVE-2025-0944, to gain remote access to U.S. municipal networks and deploy long-term surveillance tools, according to new research from Cisco Talos.
The vulnerability, which scored an 8.6 on the CVSS scale, involved the deserialization of untrusted data within Trimble’s GIS-based asset management platform. Cisco researchers Asheer Malhotra and Brandon White revealed that UAT-6382 used this flaw to conduct reconnaissance and deploy both web shells and custom malware across targeted systems. The attacks began in January 2025 and have primarily focused on utility-related networks in U.S. local government agencies.
Once inside, the threat group quickly moved laterally across the network. They dropped web shells like AntSword, Chopper, and Behinder—tools commonly used by Chinese APT groups—to maintain persistent access. These tools enabled attackers to scan directories and collect files, which they then staged for exfiltration using their own backdoor infrastructure.
Advanced Malware and Toolsets Point to Strategic Espionage
The attackers didn’t stop at web shells. Cisco Talos uncovered that UAT-6382 deployed a Rust-based loader known as TetraLoader—a variant built using the open-source MaLoader framework first spotted on GitHub in December 2024. This loader facilitated the deployment of Cobalt Strike, a popular post-exploitation toolkit, along with a Go-based remote access tool named VShell. Both tools allow for extensive command execution and data exfiltration across compromised networks.
Cisco also noted the extensive use of PowerShell scripts to deliver secondary payloads and establish redundant backdoors. These tactics suggest that UAT-6382 is highly interested in maintaining long-term access, especially to infrastructure tied to utility operations.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0944 to its Known Exploited Vulnerabilities catalog in February 2025, urging all organizations using Trimble Cityworks to apply security patches immediately. Indicators of compromise (IoCs) released by Trimble highlight key signatures organizations can use to detect signs of infiltration.
This campaign marks another reminder of how quickly advanced threat actors move to exploit zero-day and freshly patched vulnerabilities in critical software systems—particularly those used by public sector and utility organizations.
