A threat actor who speaks Chinese has been tracked UAT-6382 The current patch for Trimble CityWorks is linked to the exploitation of remote code interpretation vulnerabilities packed with cobalt strikes and VShell.
“UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance and quickly deployed various web shells and custom-made malware to maintain long-term access.” “UAT-6382 expressed a clear interest in pivoting systems related to utility management.”
Network Security Company said it had observed attacks targeting the enterprise network of local US governing bodies since January 2025.
CVE-2025-0944 (CVSS score: 8.6) refers to the degassing of untrusted data vulnerabilities that affect GIS-centric asset management software that allows remote code execution. The vulnerability was added to the known exploited vulnerabilities (KEV) catalog by the US Cybersecurity and Infrastructure Security Agency (CISA) in February 2025 since patching.
According to the Indicator of Compromise (IOC), the vulnerability is being utilized to provide a rust-based loader that fires remote access tools called Cobalt Strike and Go-based Remote Access Tools to maintain long-term access to infected systems.
Cisco Talos, which tracks Rust-based loaders as Tetraloader, said it was built using Maloader, a publicly available malware building framework written in simplified Chinese.
The successful exploitation of vulnerable CityWorks applications means that threat actors who perform pre-reconnaissance to identify and fingerprint servers drop Antward, China Toso/Chopper, and the deceased behind, widely used by Chinese hacking groups.
“UAT-6382 enumerated multiple directories on servers of interest, identifies files of interest, and staged them in directories where we had our web shell expanded for easy removal,” the researchers said. “UAT-6382 downloaded and deployed multiple backdoors to compromised systems via PowerShell.”
