Chinese APT UAT-6382 Exploits Trimble Cityworks Zero-Day in Attacks on US Local Governments

A Chinese-aligned threat actor known as UAT-6382 has been identified as the group behind the exploitation of a zero-day vulnerability in Trimble Cityworks, targeting local government entities in the United States, according to a new report from Cisco Talos.

  Asia Cyber affairs News   May 26, 2025  Add to Reading List
Chinese APT UAT-6382 Exploits Trimble Cityworks Zero-Day in Attacks on US Local Governments

A Chinese-aligned threat actor known as UAT-6382 has been identified as the group behind the exploitation of a zero-day vulnerability in Trimble Cityworks, targeting local government entities in the United States, according to a new report from Cisco Talos.

The vulnerability, tracked as CVE-2025-0994 with a CVSS score of 8.6, is a deserialization flaw in Cityworks that enables remote code execution (RCE) on Microsoft IIS servers when successfully exploited. Cityworks, widely used by critical infrastructure and utility organizations, was patched in late January 2025. Despite requiring authentication, the flaw was serious enough for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog in February and issue an ICS advisory.

UAT-6382’s Campaign: Tools, Techniques, and Targets

Cisco Talos has now confirmed that UAT-6382 has been actively exploiting this vulnerability since January 2025, targeting the enterprise networks of U.S. local governments. The group’s activity closely mirrors indicators of compromise (IoCs) previously published by Trimble.

Once access was gained, UAT-6382 initiated reconnaissance operations, followed by the deployment of webshells and malware to maintain persistent access. The attackers made multiple attempts to pivot to systems tied to utilities management, signaling an interest in critical infrastructure.

Notably, the campaign made use of:

  • Webshells: Multiple variants of AntSword, as well as Chinatso/Chopper, Behinder, and generic file uploaders

  • Backdoors: Deployed via PowerShell for persistence

  • Custom Malware:

    • TetraLoader – a Rust-based loader developed using MaLoader, a publicly available malware builder written in Simplified Chinese

    • Cobalt Strike beacons – for command and control

    • VShell – a Go-based implant capable of remote command execution, file management, screen capture, and proxy configuration

Attribution and Indicators of Chinese Origin

Talos points to several key factors that support attribution to a Chinese-speaking threat actor:

  • Chinese-language content in webshells

  • Use of MaLoader, a tool originating from Chinese-speaking cybercrime forums

  • Hands-on-keyboard activity, suggesting experienced operators

  • The strategic targeting of U.S. local government and infrastructure networks

Threat Outlook

The exploitation of CVE-2025-0994 underscores the ongoing threat posed by nation-state actors targeting industrial and municipal infrastructure via software vulnerabilities, especially those with high-impact RCE potential.

While the vulnerability has since been patched, organizations are urged to:

  • Apply all relevant updates and patches to Cityworks systems

  • Monitor for signs of compromise using published IoCs

  • Audit systems for unusual PowerShell activity or webshell deployments

  • Limit external access to critical services and implement strict access controls

Cisco Talos continues to monitor the activity of UAT-6382 and is collaborating with partners to enhance defensive measures against similar campaigns.