Full Report
A Chinese-speaking threat actor tracked as UAT-6382 has been linked to the exploitation of a now-patched remote-code-execution vulnerability in Trimble Cityworks to deliver Cobalt Strike and VShell. "UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance, and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access," Cisco Talos researchers
Analysis Summary
# Threat Actor: UAT-6382
## Attribution & Identity
* **Attribution:** Linked to Chinese-speaking threat actors.
* **Aliases:** UAT-6382 (Tracking designation by Cisco Talos).
## Activity Summary
* **Historical Activities/Campaigns:** Observed exploiting the critical vulnerability CVE-2025-0944 in Trimble Cityworks instances starting in January 2025.
* **Objective:** Gaining initial access to pivot to systems related to utility management within targeted organizations. The actor focused on reconnaissance and establishing long-term access.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploited the deserialization vulnerability in **Trimble Cityworks (CVE-2025-0944)** (CVSS: 8.6) for Remote Code Execution (RCE).
* **Execution/Persistence:**
* Deployed a **Rust-based loader** tracked as **TetraLoader** (built using the publicly available MaLoader framework).
* Deployed post-exploitation tools, including **Cobalt Strike** and the Go-based remote access tool **VShell**.
* Dropped various **web shells** for persistence, specifically mentioning AntSword, chinatso/Chopper, and Behinder.
* Deployed multiple backdoors using **PowerShell**.
* **Discovery/Collection:** Conducted reconnaissance to identify and fingerprint servers, and enumerated directories to locate files of interest for exfiltration.
* **Exfiltration:** Staged files in directories where web shells were deployed for easier subsequent exfiltration.
* **MITRE ATT&CK Associations (Implied):** Initial Access (T1190 - Exploit Public-Facing Application), Execution (T1059.001 - PowerShell), Command and Control (T1071 - Application Layer Protocol via Cobalt Strike).
## Targeting
* **Sectors:** Local governing bodies (implied government/municipal utility management).
* **Geography:** United States.
* **Victims:** Enterprise networks of local governing bodies in the U.S.
## Tools & Infrastructure
* **Malware Families Used:**
* TetraLoader (Rust-based loader utilizing MaLoader framework)
* Cobalt Strike
* VShell (Go-based remote access tool)
* Web Shells: AntSword, chinatso/Chopper, Behinder
* **Infrastructure (Implied):** Utilized C2 frameworks associated with post-exploitation tools (Cobalt Strike) and C2 traffic via web shells/backdoors.
## Implications
UAT-6382 demonstrates a capability to rapidly discover and weaponize critical vulnerabilities affecting operational technology (OT) adjacent systems like utility management software (Cityworks). Their clear targeting interest in utility management systems within U.S. government networks suggests potential preparatory steps for disruptive or espionage activities against critical infrastructure management. The use of well-known Chinese-linked tools (MaLoader framework, specific web shells) strengthens the attribution confidence.
## Mitigations
* Immediately patch or mitigate **CVE-2025-0944** affecting Trimble Cityworks (if not already completed).
* Review environments for indicators of compromise related to **TetraLoader, Cobalt Strike beacons, and VShell**, particularly on systems associated with utility or asset management.
* Monitor for the deployment of common Chinese-linked web shells like **AntSword, Chopper, or Behinder**.
* Implement heightened monitoring on PowerShell usage and directory enumeration across servers hosting high-value applications, as these were used for post-exploitation stage activities.
* Review security configurations for assets leveraged for utility management GIS/asset control.