Listen to this Post
Introduction
Cyber threats continue to evolve in sophistication and scale, as evidenced by the recent findings from Cisco Talos researchers. They attribute the exploitation of a severe vulnerability, CVE-2025-0994, to the Chinese-speaking hacking group UAT-6382. This group has been using custom malware, sophisticated web shells, and tools to infiltrate U.S. local government networks, particularly those that rely on Trimble Cityworks, a widely used utility management system. This article explores the details of this attack, the methods employed by the hackers, and the broader implications for cybersecurity.
the Original
The vulnerability CVE-2025-0994, identified as a deserialization of untrusted data issue, allows attackers to achieve remote code execution. With a CVSS v4 score of 8.6, it is classified as a critical flaw. In February 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities catalog due to its active exploitation by cybercriminals. Cisco Talos identified the Chinese-speaking hacking group UAT-6382 as the primary threat actor using this vulnerability.
Since January 2025, UAT-6382 has been targeting U.S. local government networks, deploying web shells and custom malware in utility systems. These web shells, such as AntSword, chinatso, and Chopper, were installed on compromised IIS web servers, giving the attackers persistent access. The attackers used Rust-based loaders like TetraLoader, which were built using the MaLoader malware building framework, to deploy additional payloads like Cobalt Strike and VShell, ensuring long-term persistence.
Upon exploiting the Cityworks vulnerability, UAT-6382 initiated reconnaissance commands to gather system information, list directories, and check active tasks. They then staged sensitive files for exfiltration and deployed multiple backdoors. Notably, TetraLoader was used to inject decoded payloads into benign processes, such as notepad.exe, delivering Cobalt Strike beacons or VShell stagers.
The attackers also employed Cobalt Strike beacons that communicated with domains like cdn[.]lgaircon[.]xyz and www[.]roomako[.]com. These beacons used stealthy configurations to avoid detection, while VShell stagers connected to hardcoded IP addresses and delivered encrypted payloads, supporting full remote access and control over the infected systems.
Talos provided indicators of compromise (IOCs), which can be found in their GitHub repository, helping defenders detect and mitigate this threat.
What Undercode Says:
The exploitation of CVE-2025-0994 highlights the increasing threat posed by advanced persistent threat (APT) groups, particularly those backed by state-sponsored resources. UAT-6382ās use of the Trimble Cityworks vulnerability showcases a targeted attack approach, exploiting a specific flaw in a widely used software system to gain unauthorized access to critical infrastructure.
One of the most concerning aspects of this attack is the use of Rust-based malware loaders, such as TetraLoader. Rustās increasing popularity as a language for malware development is alarming because it enables cybercriminals to create more efficient, obfuscated, and resilient malware. The fact that MaLoader is a Chinese-language framework further points to the likely connection to Chinese-speaking threat actors.
Moreover, UAT-6382ās post-compromise activity demonstrates their capability for long-term persistent access. By deploying web shells like AntSword and chinatso, they can maintain control over infected systems and carry out further malicious activities, such as exfiltrating sensitive data and deploying additional backdoors. This kind of attack is highly stealthy, often bypassing traditional security measures that may not detect these types of web shells or malware loaders.
Another critical aspect is the attackās focus on utility systems, which are integral to the functioning of local governments. Disrupting these systems can have severe consequences, including service interruptions, data breaches, and potential exposure of sensitive infrastructure. The attackās sophistication and the use of Chinese-language tools suggest that this could be part of a broader cyber espionage campaign aimed at gaining access to U.S. critical infrastructure.
This exploitation not only demonstrates the need for stronger cybersecurity measures at the municipal level but also underlines the importance of rapid vulnerability patching and the role of threat intelligence in identifying emerging threats. Public and private sector collaboration will be essential to mitigate such attacks and protect vulnerable systems from further exploitation.
Fact Checker Results
š Accuracy: The vulnerability CVE-2025-0994 is accurately described in the article, and Talos’ attribution of the attack to UAT-6382 based on tools and TTPs is consistent with known cyber attack patterns.
š ļø Tools and Techniques: The use of TetraLoader and other malware tools like Cobalt Strike and VShell is well-documented, reinforcing the articleās claims about the attackās sophistication.
ā” Impact: The report correctly highlights the potential risks posed by the exploitation of critical infrastructure systems, emphasizing the urgency for response measures.
Prediction
š® Future Implications: The continued use of Rust-based malware loaders like TetraLoader may become a more prevalent tactic among APT groups. As cybersecurity defenses evolve, attackers will likely adapt by developing new, more sophisticated techniques to exploit vulnerabilities in critical infrastructure systems. It is predicted that other Chinese-speaking threat actors may soon adopt similar tactics, targeting additional government and utility sectors to maintain persistent access for espionage and disruption purposes.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
