A Chinese-speaking hacker group, tracked as UAT-6382, has exploited a now-patched zero-day vulnerability in Trimble Cityworks software to breach multiple local government networks across the United States, according to Cisco Talos researchers.
Trimble Cityworks is widely used by municipalities and utility organizations to manage public infrastructure, permitting, and work orders. The attackers exploited a critical deserialization flaw (CVE-2025-0994) in the platform’s Microsoft IIS servers, allowing remote code execution on vulnerable systems.
First detected in January 2025, the attack campaign deployed Rust-based malware loaders, Cobalt Strike beacons, VSHell backdoors, and web shells like AntSword and Chopper, all containing Chinese-language indicators. The group also used a custom tool named TetraLoader, created with a malware builder known as MaLoader, which is also written in Simplified Chinese.
Cisco Talos notes that the attackers showed a particular interest in utilities management systems, suggesting a strategic focus on critical infrastructure.
In February 2025, Trimble released patches to address the vulnerability, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) swiftly added the bug to its Known Exploited Vulnerabilities Catalog, ordering federal agencies to patch their systems within 21 days.
CISA also issued a sector-wide alert urging organizations involved in water, energy, transportation, communications, and public services to update Cityworks immediately to prevent further exploitation.
This incident underscores the growing sophistication and persistence of state-aligned threat actors targeting essential infrastructure software in the United States.
