Cisco Talos has issued a warning regarding active exploitation of a zero-day vulnerability (CVE-2025-0994) in Cityworks, allegedly by the Chinese-speaking threat group UAT-6382. This article provides an overview of the malware involved, the organizations at risk, and essential security measures.
Cisco Talos has raised an alarm about targeted cyberattacks focusing on Trimble Cityworks, a prominent platform for managing public assets. According to recent findings disclosed to Hackread.com, the UAT-6382 hacking group is actively exploiting a high-severity vulnerability, identified as CVE-2025-0994.
This vulnerability carries a CVSS score of 8.6, permitting remote code execution, which enables attackers to execute malicious software on compromised systems. The exploitation of this flaw dates back to January 2025, with local governmental organizations in the United States being primary targets. Reports indicate that some entities have already fallen victim to successful attacks.
In response, the Cybersecurity and Infrastructure Security Agency (CISA) and Trimble have released warnings concerning the severity of this vulnerability. Attackers can gain remote access and execute malicious code against Microsoft Internet Information Services (IIS) web servers without requiring authentication. Versions affected include those of Cityworks prior to 15.8.9 and Cityworks with Office Companion before 23.10.
The UAT-6382 group employs various tactics to maintain access once a system is compromised. They frequently deploy web shells, such as AntSword and chinatso/Chopper, on the attacked servers. Additionally, they utilize specialized tools like TetraLoader, a Rust-based loader that facilitates the installation of more persistent malware, including Cobalt Strike and VSHell.
“Talos has detected intrusions in local government enterprise networks in the U.S., starting in January 2025 with the initial exploitation of the vulnerability. UAT-6382 successfully utilized CVE-2025-0944, performed reconnaissance, and rapidly deployed various web shells and custom malware for long-term access.”
Cisco Talos
Identification of Chinese-Speaking Threat Actors
Once access is achieved, attackers exhibit a particular focus on systems used for utility management. Their initial protocols involve scanning the compromised server to familiarize themselves with its structure, searching for specific directories related to Cityworks. This is followed by the rapid deployment of web shells and staging sensitive data for potential exfiltration. PowerShell commands are also used to set up backdoors, ensuring sustained access.
Insights into the Malware
TetraLoader primarily functions to inject various payloads into legitimate processes, such as notepad.exe. These payloads may include Cobalt Strike beacons, which are widely utilized by attackers for command and control operations, or VShell stagers.
VShell is a GoLang-based remote access Trojan enabling attackers to manage files, execute commands, capture screenshots, and establish proxy services on compromised systems. The VShell control panels further display Chinese text, underlining the operators’ linguistic proficiency.
Cityworks has promptly issued security patches to remediate the CVE-2025-0994 vulnerability, strongly encouraging users to implement these updates. Organizations are advised to monitor for suspicious activities utilizing Cisco Talos’ technical indicators of compromise (IOCs). Additionally, Talos recommends adopting security solutions like Cisco Secure Endpoint, Secure Firewall, and Umbrella for enhanced protection against such cyber threats.
