Pierluigi Paganini May 23, 2025

A Chinese threat actor, tracked as UAT-6382, exploited a patched Trimble Cityworks flaw to deploy Cobalt Strike and VShell.

Cisco Talos researchers attribute the exploitation of the CVE-2025-0994 in Trimble Cityworks to Chinese-speaking threat actor UAT-6382, based on tools and TTPs used in the intrusions.

The vulnerability CVE-2025-0994 (CVSS v4 score of 8.6) is a deserialization of untrusted data issue. An attacker could trigger the flaw to achieve remote code execution.

In February, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the Trimble Cityworks vulnerability to its Known Exploited Vulnerabilities catalog.

Since January 2025, UAT-6382 has exploited CVE-2025-0944 to breach U.S. local government networks, deploying Chinese-language web shells and custom malware to target utility systems.

“Post-compromise activity involves the rapid deployment of web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. UAT-6382 also employed the use of Rust-based loaders to deploy Cobalt Strike and VSHell malware to maintain long-term persistent access.” reads the report published by Talos. “We track the Rust-based loaders as “TetraLoader,” built using a recently publicly available malware building framework called “MaLoader.” MaLoader, written in Simplified Chinese, allows its operators to wrap shellcode and other payloads into a Rust-based binary, resulting in the creation of TetraLoader.”

Exploiting the Cityworks vulnerability, attackers ran commands for server reconnaissance, gathering system info, listing directories, and active tasks, before placing web shells in targeted folders.

UAT-6382 quickly deployed web shells like AntSword, chinatso, and Behinder, often with Chinese-language messages, to gain persistent access. They scanned directories, staged sensitive files for exfiltration, and used PowerShell to deploy multiple backdoors across compromised systems.

TetraLoader is a Rust-based malware loader that injects decoded payloads into benign processes like notepad.exe. It delivers Cobalt Strike beacons or VShell stagers to infected systems. The malware is built with MaLoader and written in Simplified Chinese, suggesting that they are linked to Chinese-speaking threat actors.

Cobalt Strike beacons used by UAT-6382 connect to domains like cdn[.]lgaircon[.]xyz and www[.]roomako[.]com via HTTPS, using stealthy configs with injected shellcode. VShell stagers connect to hardcoded IPs, receive XOR-encrypted payloads, and deploy Go-based implants supporting full RAT functions. Tools and C2 panels are Chinese-written, indicating Chinese-speaking operators.

Talos published the indicators of compromise (IOCs). 

The IOCs can also be found in our GitHub repository here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China)