Analysis Summary

Chinese-speaking threat group UAT-6382 has exploited a now-patched zero-day vulnerability in Trimble Cityworks (CVE-2025-0994) to compromise multiple local government networks across the United States. Trimble Cityworks is a widely-used GIS-based asset and work order management platform adopted by municipalities and utilities for infrastructure oversight, permitting, and public works coordination.

Cisco Talos first detected the campaign in January 2025, noting reconnaissance activity within targeted networks. The attackers deployed a Rust-based malware loader to install Cobalt Strike beacons, VSHell backdoors, web shells (like AntSword and Chopper), and other malicious tools, many of which contained Chinese-language artifacts. The custom malware loader, dubbed TetraLoader, was built using a tool called MaLoader, also written in Simplified Chinese.

The exploited vulnerability, CVE-2025-0994, is a critical deserialization flaw in Microsoft IIS servers used by Cityworks, allowing authenticated attackers to execute remote code. Although Trimble patched the flaw in February 2025, attackers had already used it for initial access and lateral movement, particularly targeting systems linked to utilities management.

Following the discovery, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on February 7, 2025, mandating federal agencies to apply patches within three weeks under Binding Operational Directive 22-01. CISA also issued a sector-wide advisory on February 11, urging critical infrastructure operators including those in water, energy, transportation, and communications—to update immediately.

The campaign underscores the continued exploitation of software vulnerabilities by state-linked or state-sponsored threat actors and highlights the importance of timely patching, particularly in critical infrastructure environments.

Impact

• Remote Code Execution
• Lateral Movement
• Unauthorized Access

Indicators of Compromise

SHA1

• c7fc692b4650356566b33414924475176328bd93

• e760717e7eee446480dc7947b2a0751a0bc1f651

• ede9704d231f2950a65e272362c6f3cc82521e5c

• e8896bbd75ffca23b7f9e7c0c04c088d60e3ddae

URL

• https://www.roomako.com/jquery-3.3.1.min.js

• https://lgaircon.xyz/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2

• https://cdn.lgaircon.xyz/jquery-3.3.1.min.js

• https://cdn.phototagx.com/

• http://192.210.239.172:3219/LVLWPH.exe

• http://192.210.239.172:3219/MCUCAT.exe

• http://192.210.239.172:3219/TJPLYT.exe

• http://192.210.239.172:3219/z44.exe

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Apply the latest security patches for Trimble Cityworks immediately.
• Upgrade Microsoft IIS servers to the most recent, secure versions.
• Monitor networks for indicators of compromise, including Cobalt Strike and VSHell activity.
• Conduct thorough threat hunting for unauthorized web shells and backdoors.
• Implement strict access controls and least privilege principles.
• Isolate vulnerable or affected systems from critical infrastructure.
• Enable multi-factor authentication (MFA) across all access points.
• Regularly audit and update firewall and intrusion detection rules.
• Remove or quarantine compromised assets and rebuild from clean backups.
• Conduct employee awareness training on phishing and social engineering threats.