Chinese APT Group UAT-6382 Exploits Trimble Cityworks Flaw to Deploy Cobalt Strike and VShell

A Chinese-speaking advanced persistent threat (APT) group, tracked as UAT-6382, has been identified exploiting a critical remote code execution (RCE) vulnerability—CVE-2025-0944—in Trimble Cityworks to gain footholds in U.S. local government networks, Cisco Talos reported.

  Asia Cyber affairs News   May 23, 2025  Add to Reading List
Chinese APT Group UAT-6382 Exploits Trimble Cityworks Flaw to Deploy Cobalt Strike and VShell

Chinese-speaking advanced persistent threat (APT) group, tracked as UAT-6382, has been identified exploiting a critical remote code execution (RCE) vulnerabilityCVE-2025-0944—in Trimble Cityworks to gain footholds in U.S. local government networks, Cisco Talos reported.

According to Talos researchers Asheer Malhotra and Brandon White, the threat actor leveraged the flaw to deploy web shells, custom malware, and advanced post-exploitation tools like Cobalt Strike and VShell, showcasing a strong intent to target utility management systems.

Key Details:

  • CVE-2025-0944: A deserialization of untrusted data vulnerability in Trimble’s GIS-centric Cityworks platform, allowing unauthenticated remote code execution. It holds a CVSS score of 8.6 and was patched, but had been added to CISA’s KEV catalog in February 2025 due to active exploitation.

  • Timeline of Activity: Cisco Talos observed UAT-6382 begin targeting U.S. municipal and enterprise networks in January 2025.

  • Initial Access & Malware Deployment:

    • The attackers dropped Rust-based malware loaders (tracked as TetraLoader), derived from MaLoader, an open-source malware-building framework that surfaced on GitHub in December 2024.

    • Payloads deployed include:

      • Cobalt Strike: A post-exploitation tool used to simulate APT behavior.

      • VShell: A Go-based remote access tool to maintain persistent access.

Tools and Techniques:

  • Web Shells Deployed:

    • AntSword, Chopper, and Behinder – all commonly used by Chinese-speaking threat groups for web-based access and control.

  • Reconnaissance and Persistence:

    • UAT-6382 performed extensive directory enumeration and reconnaissance.

    • Staged stolen data in directories hosting their web shells for easier exfiltration.

    • Used PowerShell to deploy multiple backdoors across compromised systems.

Implications:

The campaign demonstrates UAT-6382’s ability to rapidly weaponize zero-day vulnerabilities and deploy custom malware for long-term persistence, with a strategic focus on municipal systems and critical infrastructure, such as utility and asset management platforms.

The incident also underscores how open-source tools like MaLoader, especially those originating in Simplified Chinese-language forums, are increasingly being used in nation-state-level operations, enhancing the accessibility and agility of threat actors.