Source: www.infosecurity-magazine.com – Author:
Chinese hackers are targeting local government organizations in the US by exploiting a vulnerability in Cityworks, a popular asset management system.
Cisco Talos said it has observed a threat actor tracked as UAT-6382 successfully conduct intrusions in the enterprise networks of municipal entities, beginning in January 2025.
Following initial access, the group conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access, potentially paving the way for further attacks. These include tools such as Cobalt Strike and VSHell.
It has also demonstrated a clear interest in pivoting to systems related to utilities management post-exploitation.
Cisco assesses with high confidence that UAT-6382 is a financially motivated Chinese-speaking threat actor.
This is because the tooling used in the campaign contained code and messaging written in Chinese. Other indications include the tactics, techniques and procedures (TTPs) utilized and victimology.
How Chinese Actors Target Government Systems
In cases tracked by the researchers, UAT-6382 exploited a high rated (CVSS 8.6) Cityworks vulnerability, CVE-2025-0994, to achieve initial access. This flaw can allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.
The vulnerability affects all Cityworks versions prior to 15.8.9, which was released by the product manufacturer Trimble in January 2025 to patch CVE-2025-0994.
Following exploitation, the threat actor conducted preliminary reconnaissance to identify and fingerprint the server.
This “almost immediately” led to the deployment of web shells to establish backdoor entry into the compromised network. These web shells consisted of multiple variations of AntSword, chinatso and Behinder, alongside additional generic file uploaders containing messages written in Chinese.
UAT-6382 then set about identifying files of interest and staged them in directories where they had deployed web shells for easy exfiltration.
The group also downloaded and deployed multiple backdoors in the compromised systems via PowerShell.
Cisco recovered Rust-based loaders to decode and inject the payloads into a benign process such as notepad[.]exe to execute them. It tracks these loaders as ‘TetraLoader’, which was built using a malware-builder called ‘MaLoader’ that is also written in Simplified Chinese.
Two types of payloads deployed by TetraLoader have been found on infected systems – Cobalt Strike beacons and VShell stager, each of which connects to the attackers’ command and control (C2) domain.
Cobalt Strike is a legitimate pen-testing tool, often used by threat actors to provide a persistent backdoor to victims, paving the way for further activity such as ransomware deployment and cyber-espionage campaigns.
VShell stager is able to perform a wide range of remote access trojan-based functionalities, such as the capabilities to perform file management, run arbitrary commands, take screenshots and run NPS-based proxies on the infected endpoint.
Cisco has published technical indicators, including network traffic signatures and file hashes, to help organizations detect exploitation attempts.
All Trimble Cityworks customers are urged to upgrade to the latest product version.
Original Post URL: https://www.infosecurity-magazine.com/news/chinese-hackers-cityworks-local/
Category & Tags: –
Views: 1
