Chinese Cyber Attackers Target Trimble Cityworks Vulnerability to Breach U.S. Government Networks

Published:

spot_img

gpt]
Rewrite the content fetched from

May 22, 2025Ravie LakshmananVulnerability / Threat Intelligence

Chinese Cyber Attackers Target Trimble Cityworks Vulnerability to Breach U.S. Government Networks

A Chinese-speaking threat actor tracked as UAT-6382 has been linked to the exploitation of a now-patched remote-code-execution vulnerability in Trimble Cityworks to deliver Cobalt Strike and VShell.

“UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance, and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access,” Cisco Talos researchers Asheer Malhotra and Brandon White said in an analysis published today. “Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utility management.”

The network security company said it observed the attacks targeting enterprise networks of local governing bodies in the United States starting January 2025.

CVE-2025-0944 (CVSS score: 8.6) refers to the deserialization of untrusted data vulnerability affecting the GIS-centric asset management software that could enable remote code execution. The vulnerability, since patched, was added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in February 2025.

Cybersecurity

According to indicators of compromise (IoCs) released by Trimble, the vulnerability has been exploited to deliver a Rust-based loader that launches Cobalt Strike and a Go-based remote access tool named VShell in an attempt to maintain long-term access to infected systems.

Cisco Talos, which is tracking the Rust-based loader as TetraLoader, said it’s built using MaLoader, a publicly available malware-building framework written in Simplified Chinese that first appeared on GitHub in December 2024.

Chinese Hackers Exploit Trimble Cityworks Flaw

Successful exploitation of the vulnerable Cityworks application results in the threat actors conducting preliminary reconnaissance to identify and fingerprint the server, and then dropping web shells like AntSword, chinatso/Chopper, and Behinder that are widely put to use by Chinese hacking groups.

“UAT-6382 enumerated multiple directories on servers of interest to identify files of interest to them and then staged them in directories where they had deployed web shells for easy exfiltration,” the researchers said. “UAT-6382 downloaded and deployed multiple backdoors on compromised systems via PowerShell.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

into a completely fresh, human-written article that feels authentic and naturally written. The tone must reflect everyday human communication—professional, clear, and engaging without sounding like it’s generated by AI. Strictly avoid generic AI-style phrases, exaggerations, filler lines, or hallucinated content.

Structure the article with appropriate subheadings (H2, H3, etc.) and ensure it is *at least 500 words*. Each paragraph should be well-structured, focusing on a specific angle or detail from the source.

Incorporate *high-ranking SEO keywords* relevant to the topic where naturally appropriate—never forced. Prioritize keyword-rich phrases commonly searched online while maintaining readability and flow.

Use real-world phrasing, straight facts, and simple but intelligent language as used in human-authored blogs or news articles. Avoid summaries or conclusions; focus purely on rewriting the key points into a compelling narrative without inventing new ideas.

Do not add your own opinions or additional content—strictly rephrase and rewrite the original source material in a fresh, optimized, and human-sounding format.
[/gpt3]

spot_img

Related articles

Recent articles

1Password Advances Secure Credential Access for AI Agents with Claude Integration

1Password Advances Secure Credential Access for AI Agents with Claude Integration In a significant development for cybersecurity and artificial intelligence, 1Password has launched 1Password for...

Two Scattered Spider Hackers Sentenced to 5.5 Years Each for £29 Million Transport for London Cyberattack

Two Scattered Spider Hackers Sentenced to 5.5 Years Each for £29 Million Transport for London Cyberattack In a significant legal development, Owen Flowers, 18, and...

Bclub Accelerates the Evolution of Dark Web Commerce: Insights for Researchers

Bclub Accelerates the Evolution of Dark Web Commerce: Insights for Researchers The dark web has increasingly captured the attention of cybersecurity experts, law enforcement, and...

Barracuda Acquires Evo Security to Strengthen Identity Resilience for Managed Service Providers

Barracuda Acquires Evo Security to Strengthen Identity Resilience for Managed Service Providers Barracuda Networks has officially announced its acquisition of Evo Security, a specialized provider...