Severity
High
Analysis Summary
Chinese-speaking threat group UAT-6382 has exploited a now-patched zero-day vulnerability in Trimble Cityworks (CVE-2025-0994) to compromise multiple local government networks across the United States. Trimble Cityworks is a widely-used GIS-based asset and work order management platform adopted by municipalities and utilities for infrastructure oversight, permitting, and public works coordination.
Cisco Talos first detected the campaign in January 2025, noting reconnaissance activity within targeted networks. The attackers deployed a Rust-based malware loader to install Cobalt Strike beacons, VSHell backdoors, web shells (like AntSword and Chopper), and other malicious tools, many of which contained Chinese-language artifacts. The custom malware loader, dubbed TetraLoader, was built using a tool called MaLoader, also written in Simplified Chinese.
The exploited vulnerability, CVE-2025-0994, is a critical deserialization flaw in Microsoft IIS servers used by Cityworks, allowing authenticated attackers to execute remote code. Although Trimble patched the flaw in February 2025, attackers had already used it for initial access and lateral movement, particularly targeting systems linked to utilities management.
Following the discovery, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on February 7, 2025, mandating federal agencies to apply patches within three weeks under Binding Operational Directive 22-01. CISA also issued a sector-wide advisory on February 11, urging critical infrastructure operators including those in water, energy, transportation, and communications—to update immediately.
The campaign underscores the continued exploitation of software vulnerabilities by state-linked or state-sponsored threat actors and highlights the importance of timely patching, particularly in critical infrastructure environments.
Impact
- Remote Code Execution
- Lateral Movement
- Unauthorized Access
Indicators of Compromise
Domain Name
cdn.phototagx.com
roomako.com
lgaircon.xyz
IP
- 192.210.239.172
MD5
092864a16fff333b8a98b29eb0a06d6c
e80eb9d5accd75020f311400faefdc58
7002b9e747b3d92d6d52f291e911a7fc
cce97d53af7c61cc8b9953c9d616b101
SHA-256
14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f
4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9
1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901
c02d50d0eb3974818091b8dd91a8bbb8cdefd94d4568a4aea8e1dcdd8869f738
SHA1
c7fc692b4650356566b33414924475176328bd93
e760717e7eee446480dc7947b2a0751a0bc1f651
ede9704d231f2950a65e272362c6f3cc82521e5c
e8896bbd75ffca23b7f9e7c0c04c088d60e3ddae
URL
https://www.roomako.com/jquery-3.3.1.min.js
https://lgaircon.xyz/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2
https://cdn.lgaircon.xyz/jquery-3.3.1.min.js
https://cdn.phototagx.com/
http://192.210.239.172:3219/LVLWPH.exe
http://192.210.239.172:3219/MCUCAT.exe
http://192.210.239.172:3219/TJPLYT.exe
http://192.210.239.172:3219/z44.exe
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Apply the latest security patches for Trimble Cityworks immediately.
- Upgrade Microsoft IIS servers to the most recent, secure versions.
- Monitor networks for indicators of compromise, including Cobalt Strike and VSHell activity.
- Conduct thorough threat hunting for unauthorized web shells and backdoors.
- Implement strict access controls and least privilege principles.
- Isolate vulnerable or affected systems from critical infrastructure.
- Enable multi-factor authentication (MFA) across all access points.
- Regularly audit and update firewall and intrusion detection rules.
- Remove or quarantine compromised assets and rebuild from clean backups.
- Conduct employee awareness training on phishing and social engineering threats.