A Chinese threat actor known as UAT-6382 exploited a patched vulnerability in Trimble Cityworks to deploy Cobalt Strike and VShell malware.
Cisco Talos researchers link the exploitation of CVE-2025-0994 in Trimble Cityworks to UAT-6382 based on the tools and tactics, techniques, and procedures (TTPs) observed in the attacks.
The vulnerability CVE-2025-0994, which has a CVSS v4 score of 8.6, involves the deserialization of untrusted data. This flaw allows an attacker to execute remote code on affected systems.
In February, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included the Trimble Cityworks vulnerability in its Known Exploited Vulnerabilities catalog.
Since January 2025, UAT-6382 has been exploiting CVE-2025-0994 to breach local government networks in the United States. The group deploys Chinese-language web shells and custom malware to target utility systems.
According to a report published by Talos, post-compromise activities include the rapid deployment of web shells such as AntSword and chinatso/Chopper on IIS web servers. The threat actor also uses Rust-based loaders to deploy Cobalt Strike and VShell malware to maintain persistent access.
The Rust-based loaders are tracked as “TetraLoader” and are created using a recently released malware framework called “MaLoader.” MaLoader is written in Simplified Chinese and enables operators to package shellcode and other payloads into Rust binaries, resulting in TetraLoader.
Once the Cityworks vulnerability is exploited, the attackers run commands to perform server reconnaissance. They gather system information, list directories, and active tasks before placing web shells in targeted folders.
UAT-6382 quickly deploys web shells like AntSword, chinatso, and Behinder, often containing Chinese-language messages, to establish long-term access. The attackers scan directories, prepare sensitive files for exfiltration, and use PowerShell to deploy multiple backdoors across compromised systems.
TetraLoader is a Rust-based malware loader that injects decoded payloads into legitimate processes such as notepad.exe. It delivers Cobalt Strike beacons or VShell stagers to infected machines. The malware’s origin and coding language suggest a link to Chinese-speaking threat actors.
The Cobalt Strike beacons used by UAT-6382 connect via HTTPS to domains such as cdn[.]lgaircon[.]xyz and www[.]roomako[.]com. These connections use stealth configurations with injected shellcode. The VShell stagers connect to hardcoded IP addresses, receive XOR-encrypted payloads, and deploy Go-based implants that provide full remote access tool (RAT) capabilities. The tools and command-and-control panels are written in Chinese, further indicating Chinese-speaking operators.
Talos has published indicators of compromise (IOCs) related to this campaign.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
