A Chinese-speaking hacking group known as UAT-6382 has been found using a serious security flaw in Trimble Cityworks software to install hacking tools like Cobalt Strike and VShell.
According to a report by Cisco Talos researchers Asheer Malhotra and Bradon White, the attackers took advantage of a now-fixed vulnerability (CVE-2025-0944) that allowed them to run code remotely. After breaking in, they explored the affected systems and installed web shells and custom malware to maintain persistent access. Their main interest was in management utility systems.
The attacks began in January 2025 and mostly targeted local government networks in the U.S.
The vulnerability, rated 8.6 out of 10 in severity, involved insecure handling of data in the Cityworks software. It was a known exploited security issue in February 2025 and has since been patched.
Trimble shared that hackers are using a known flaw in its Cityworks software to install a Rust-based program that launches hacking tools like Cobalt Strike and a remote access tool called VShell, developed in Go. These tools help the attackers keep control over the infected systems for a long time.
Cisco Talos calls the Rust-based program “TetraLoader”. The loader is derived from MaLoader, an open-source malware framework that was made publicly available on GitHub in late 2024.
Once the attackers gain access to Cityworks, they first gather information about the system to understand its setup. They then install web shells such as AntSword, Chinato/Chopper, and Behinder -commonly used tools among Chinese APT groups.
According to the researchers, UAT-6382 searched through folders on targeted servers to find valuable files. They then moved those files to locations where they had installed web shells, making it easier to steal them. The hackers also installed several hidden backdoors using PowerShell to maintain access.
