A Chinese-speaking threat actor has been observed exploiting a critical remote code execution (RCE) vulnerability (CVE-2025-0994)in the widely used asset management platform Trimble Cityworks.
The activity, detected by Cisco’s Talos threat intelligence team, has been attributed to a threat cluster tracked as “UAT-6382,” believed to involve Chinese-speaking actors. The attacks have been ongoing since at least January 2025 and have specifically targeted enterprise networks associated with local government agencies in the United States, particularly those linked to utilities management systems.
CVE-2025-0994 allows unauthenticated remote code execution on vulnerable Cityworks instances. Trimble, the developer of Cityworks, has published an advisory detailing the technical nature of the flaw and released corresponding indicators of compromise (IOCs). Cisco Talos confirmed that the IOCs it observed during incident response efforts match those highlighted in Trimble’s report.
According to Talos, the attackers rapidly moved from initial exploitation to establishing persistence by deploying multiple web shells, including known variants such as AntSword, chinatso/Chopper, and Behinder, often containing messages in Simplified Chinese. The tools were installed on compromised IIS web servers, enabling long-term unauthorized access.
Following the initial web shell deployment, the actors used Rust-based custom loaders, tracked by Talos as ‘TetraLoader’, to deliver and execute malware payloads. TetraLoader, built using a malware development kit called MaLoader (first observed in December 2024 and also written in Simplified Chinese), wraps shellcode into a Rust binary. Once deployed, the loader decrypts the payload and injects it into legitimate system processes such as notepad.exe.
Talos identified two primary payloads being delivered by TetraLoader:
-
Cobalt Strike Beacons: In-memory shellcode designed for command and control, lateral movement, and data exfiltration.
-
VShell Stager: A lightweight loader that communicates with a hardcoded command-and-control (C2) server to retrieve and execute further malicious code.
“Like other Chinese-authored tooling observed in the intrusions, VShell C2 panels are also written in Chinese. Although limited language support for English is available in the panel, it still mostly uses the Chinese language, indicating that operators need to be familiar with the language to use the panel proficiently,” Cisco Talos said.
