A Chinese-speaking threat actor tracked as UAT-6382 has been linked to the exploitation of a now-patched remote-code-execution vulnerability in Trimble Cityworks to deliver Cobalt Strike and VShell.
“UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance, and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access,” Cisco Talos researchers Asheer Malhotra and Brandon White said in an analysis published today. “Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utility management.”
The network security company said it observed the attacks targeting enterprise networks of local governing bodies in the United States starting January 2025.
CVE-2025-0944 (CVSS score: 8.6) refers to the deserialization of untrusted data vulnerability affecting the GIS-centric asset management software that could enable remote code execution. The vulnerability, since patched, was added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in February 2025.
According to indicators of compromise (IoCs) released by Trimble, the vulnerability has been exploited to deliver a Rust-based loader that launches Cobalt Strike and a Go-based remote access tool named VShell in an attempt to maintain long-term access to infected systems.
Cisco Talos, which is tracking the Rust-based loader as TetraLoader, said it’s built using MaLoader, a publicly available malware-building framework written in Simplified Chinese.
Successful exploitation of the vulnerable Cityworks application results in the threat actors conducting preliminary reconnaissance to identify and fingerprint the server, and then dropping web shells like AntSword, chinatso/Chopper, and Behinder that are widely put to use by Chinese hacking groups.
“UAT-6382 enumerated multiple directories on servers of interest to identify files of interest to them and then staged them in directories where they had deployed web shells for easy exfiltration,” the researchers said. “UAT-6382 downloaded and deployed multiple backdoors on compromised systems via PowerShell.”
