UAT-6382 Exploits Cityworks Zero-day Vulnerability to Deliver Malware
Summary:
Cisco Talos has uncovered an ongoing and sophisticated campaign carried out by a threat actor tracked as UAT-6382, exploiting CVE-2025-0994, a critical remote code execution vulnerability in Trimble’s Cityworks asset management system. This campaign, which began in January 2025, has primarily targeted the enterprise networks of local U.S. government entities, with a particular focus on infrastructure related to utilities management. After gaining initial access through the vulnerable Cityworks application, UAT-6382 performed immediate reconnaissance, using basic shell commands to map the environment and identify key directories within IIS web servers. The group then deployed multiple Chinese-language web shells such as AntSword, chinatso/Chopper, and Behinder to establish persistent, backdoor access. These shells were used not only for remote access but also for staging data in preparation for exfiltration, indicating a clear objective to harvest sensitive information. Post-exploitation activity was marked by the deployment of custom malware via PowerShell, including a Rust-based loader known as “TetraLoader,” which was created using the Simplified Chinese-written framework “MaLoader.” TetraLoader was then used to deliver and execute powerful in-memory payloads such as Cobalt Strike beacons and a custom VShell stager, enabling remote command execution, file management, and covert communication with command-and-control servers.
Security Officer Comments:
The latest campaign reflects a highly targeted and strategic operation aimed at compromising local U.S. government networks, particularly those involved in utilities and infrastructure management. By exploiting CVE-2025-0994 in Trimble’s Cityworks software, the group gained remote access and quickly deployed Chinese-language web shells and custom malware, such as the Rust-based TetraLoader and advanced payloads like Cobalt Strike and VShell, to maintain long-term control and facilitate data exfiltration. The use of infrastructure-specific tooling and persistent access methods indicates a likely motive of cyber espionage, with the actors seeking to gather intelligence on critical systems and potentially position themselves for future disruption or surveillance activities.
Suggested Corrections:
Organizations using Trimble’s Cityworks should prioritize applying the latest security patches addressing CVE-2025-0994 as soon as possible. Beyond patching, it is essential to monitor for known IOCs published by Cisco Talos, audit IIS web servers for unauthorized web shells or suspicious uploads, and examine systems for signs of Rust-based loaders such as TetraLoader. To strengthen defenses, organizations should enforce application allowlisting, restrict the use of PowerShell, deploy endpoint detection and response solutions, and segment critical infrastructure networks to limit lateral movement. Trimble has also issued specific configuration guidance: administrators should ensure that IIS does not run with local or domain-level administrative privileges, as some deployments have been found to be overprivileged. Additionally, attachment directory roots should be carefully restricted to designated folders that exclusively store attachments, avoiding broader access to sensitive file paths.
Link(s):
https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/
Cisco Talos has uncovered an ongoing and sophisticated campaign carried out by a threat actor tracked as UAT-6382, exploiting CVE-2025-0994, a critical remote code execution vulnerability in Trimble’s Cityworks asset management system. This campaign, which began in January 2025, has primarily targeted the enterprise networks of local U.S. government entities, with a particular focus on infrastructure related to utilities management. After gaining initial access through the vulnerable Cityworks application, UAT-6382 performed immediate reconnaissance, using basic shell commands to map the environment and identify key directories within IIS web servers. The group then deployed multiple Chinese-language web shells such as AntSword, chinatso/Chopper, and Behinder to establish persistent, backdoor access. These shells were used not only for remote access but also for staging data in preparation for exfiltration, indicating a clear objective to harvest sensitive information. Post-exploitation activity was marked by the deployment of custom malware via PowerShell, including a Rust-based loader known as “TetraLoader,” which was created using the Simplified Chinese-written framework “MaLoader.” TetraLoader was then used to deliver and execute powerful in-memory payloads such as Cobalt Strike beacons and a custom VShell stager, enabling remote command execution, file management, and covert communication with command-and-control servers.
Security Officer Comments:
The latest campaign reflects a highly targeted and strategic operation aimed at compromising local U.S. government networks, particularly those involved in utilities and infrastructure management. By exploiting CVE-2025-0994 in Trimble’s Cityworks software, the group gained remote access and quickly deployed Chinese-language web shells and custom malware, such as the Rust-based TetraLoader and advanced payloads like Cobalt Strike and VShell, to maintain long-term control and facilitate data exfiltration. The use of infrastructure-specific tooling and persistent access methods indicates a likely motive of cyber espionage, with the actors seeking to gather intelligence on critical systems and potentially position themselves for future disruption or surveillance activities.
Suggested Corrections:
Organizations using Trimble’s Cityworks should prioritize applying the latest security patches addressing CVE-2025-0994 as soon as possible. Beyond patching, it is essential to monitor for known IOCs published by Cisco Talos, audit IIS web servers for unauthorized web shells or suspicious uploads, and examine systems for signs of Rust-based loaders such as TetraLoader. To strengthen defenses, organizations should enforce application allowlisting, restrict the use of PowerShell, deploy endpoint detection and response solutions, and segment critical infrastructure networks to limit lateral movement. Trimble has also issued specific configuration guidance: administrators should ensure that IIS does not run with local or domain-level administrative privileges, as some deployments have been found to be overprivileged. Additionally, attachment directory roots should be carefully restricted to designated folders that exclusively store attachments, avoiding broader access to sensitive file paths.
Link(s):
https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/