Full Report
Since January, cybersecurity experts have seen Chinese-speaking hackers exploiting a bug impacting a tool used by local governments to manage critical infrastructure assets and other services.
Analysis Summary
# Threat Actor: Unnamed Chinese-speaking Threat Actors (Leveraging CVE-2025-0994)
## Attribution & Identity
* **Identification:** Chinese-speaking threat actors.
* **Confidence:** Assessed with "high confidence" based on tools used, tactics, and victims.
* **Language Indicators:** Malware and tools contained messages written in the Chinese language, and one tool was built using 'MaLoader,' a malware-builder also written in Simplified Chinese.
## Activity Summary
* **Timeline:** Observed exploiting CVE-2025-0994 since January.
* **Campaign Focus:** Exploiting a critical vulnerability (CVE-2025-0994) in the Trimble Cityworks asset management platform used by local governments.
* **Objectives:** Conducted extensive reconnaissance, deployed web shells and custom malware for persistence, and expressed a clear interest in pivoting to systems related to utilities management immediately after gaining initial access. The actors prepared identified directories and files for exfiltration.
## Tactics, Techniques & Procedures
- Exploitation of Public-Facing Applications (CVE-2025-0994).
- Initial Access via vulnerability exploitation.
- Execution/Persistence via rapid deployment of web shells and custom-made malware.
- Discovery: Looking for directories and files of interest post-access.
- Exfiltration preparation activities observed.
## Targeting
* **Sectors:** Local governments, critical infrastructure management (specifically noted interest in utility management systems).
* **Geography:** United States (US local and federal government agencies).
* **Victims:** Local governments managing infrastructure assets for airports, utilities, municipalities, and counties using Trimble Cityworks.
## Tools & Infrastructure
* **Malware Families used:** Custom-made malware, unspecific web shells.
* **Malware Builder:** 'MaLoader' (written in Simplified Chinese).
* **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the provided context.
## Implications
This activity indicates a targeted focus by Chinese-speaking actors on exploiting known software vulnerabilities within US local government infrastructures, specifically those managing critical assets like utilities. The actors prioritized establishing long-term access and pivoting toward sensitive utility management systems, suggesting potential espionage or preparation for disruption of essential services.
## Mitigations
- Immediate patching of CVE-2025-0994, especially for systems managing critical infrastructure.
- Enhanced monitoring for web shell deployment and unauthorized persistence mechanisms on asset management platforms (Trimble Cityworks).
- Reviewing network segmentation, specifically limiting lateral movement between asset management systems and core utility operational technology (OT) environments.