Do Son 
A Chinese cybercriminal group identified as UAT-6382 has been observed exploiting a vulnerability in Trimble Cityworks software that enabled remote arbitrary code execution. The flaw, tracked as CVE-2025-0944 and patched by the time of disclosure, was leveraged by the attackers to deploy Cobalt Strike and VShell malware, granting persistent access to compromised systems.
According to analysts at Cisco Talos, the campaign began in January 2025 and specifically targeted IT infrastructures of municipal governments across the United States. The initial attack vector was a critical deserialization vulnerability (CVSS score: 8.6) in the Cityworks platform, a system used for asset management and geospatial information processing. Once access was secured, UAT-6382 immediately began network reconnaissance and deployed a suite of malicious components.
Experts noted that shortly after exploiting the vulnerability, the threat actors installed web shells—including AntSword, chinatso/Chopper, and Behinder—commonly associated with Chinese threat groups. These tools facilitated persistence and established convenient channels for loading additional payloads and exfiltrating data.
UAT-6382 conducted extensive file system scans across compromised servers, exfiltrating selected files into directories already seeded with their web shells. Concurrently, they deployed backdoors via PowerShell to maintain covert access.
A core element of the campaign was the TetraLoader, a loader developed using the MaLoader framework—an open-source tool written in simplified Chinese. TetraLoader is a Rust-based malware loader responsible for delivering both Cobalt Strike and the Go-based remote access tool VShell. This choice of tooling reflects the attackers’ intention to achieve long-term persistence and deep system integration.
In February 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0944 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity of the threat and the urgency of patching affected systems. Trimble has since released indicators of compromise confirming that the vulnerability had been actively exploited.
According to Cisco Talos, UAT-6382’s objective extended beyond isolated servers—their focus was on systems integral to municipal and critical infrastructure operations. This suggests a high degree of strategic planning and a clear understanding of the operational significance of their chosen targets.
Donate