A complex cyber espionage campaign by a Chinese-speaking APT group called UAT-6382 has been spotted exploiting a 0-day vulnerability in the Trimble’s Cityworks software, to compromise networks of various U.S. local government organizations.
The attacks, which have been into play since at least January 2025, exploited a vulnerability tracked as CVE-2025-0994, which is a high-severity deserialization vulnerability that could be exploited with a web request to alter the original and get code execution on targeted Microsoft Internet Information Services (IIS) web servers.
Cityworks is the top GIS-centric platform for public asset management being used by local governments, utility, and public works organizations.
The use of this vulnerability for exploitation poses several significant concerns for disruption of essential services and potential compromise of sensitive government information.
Security researchers at Cisco Talos disclosed new details of these attacks, noting that the attackers were using web shells like AntSword, Chopper, and Behinder, tools that are familiar from the Chinese hacking toolkits, to gain an initial foothold and retain persistence. These web shells, which include messaging in Chinese language, provided enable backdoor access to the effected machines.
Once inside the environment, UAT-6382 performed reconnaissance to fingerprint servers and discover sensitive data. They used custom built loader malware based on Rust that they named TetraLoader, created on the publicly available Chinese malware-building framework MaLoader.
The attackers also used TetraLoader to drop both Cobalt Strike beacons and a Go-based RAT called VShell to give themselves substantial control over the infected systems. Their move also suggested they had a particular interest in transitioning to utility management systems.
In the face of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2025-0994 in its Known Exploited Vulnerabilities (KEV) list in February 2025, alerting Federal agencies to install patches as soon as possible.
Trimble had provided patches for the bug toward the end of January 2025 in versions 15.8.9 and 23.10.
According to security experts, all entities that employ Trimble Cityworks should urgently install the latest fixes and check their systems for any signs of intrusion.
The incident serves as a reminder of the continuing danger faced by critical infrastructure operators in the crosshairs of state-sponsored attackers and the need for timely patching and hardening of security posture, especially among government organizations that control vital public services.
