Chinese-speaking threat actors are suspected to have exploited a Trimble Cityworks zero-day vulnerability to deploy backdoors against local government entities in the United States,
Cisco Talos reported Thursday.
The Cityworks flaw, tracked as
CVE-2025-0994, was the subject of
a Cybersecurity and Infrastructure Security Agency (CISA) advisory in February due to active exploitation. Cityworks is an asset and work management system designed for public infrastructure organizations.
The vulnerability could enable remote code execution (RCE) on the Microsoft Internet Information Services (IIS) web server that the affected Cityworks instance runs on due to deserialization of untrusted data.
CVE-2025-0994 was patched in Trimble Cityworks version 15.8.9 on Jan. 28 and Cityworks with office companion version 23.10 on Jan. 29.
Web shells deployed by suspected Chinese-speaking attackers
Cisco Talos revealed previously unreported details about zero-day attacks on Cityworks instances affected by CVE-2025-0994, first observed at the beginning of January 2025. Cisco Talos tracks this cluster of intrusions as “UAT-6382.”
The attacks on U.S. local government networks were assessed with high confidence to be conducted by Chinese-speaking threat actors due to the use of tools with Chinese-language user interfaces (UIs) and containing Chinese messages, in addition to other factors like victimology and tactics, techniques and procedures (TTPs).
After gaining initial access via CVE-2025-0994, analysis revealed the UAT-6382 threat actors performed reconnaissance to fingerprint the server and then deployed web shells including AntSword, chinatso/Chopper and Behinder to facilitate backdoor entry. The attackers also used generic file uploaders containing Chinese-language messages.
AntSword is an open-source website administration tool designed for penetration testers and security researchers, which includes support for web shell management. AntSword has been used in other attacks by suspected Chinese threat actors, including
attacks on Microsoft Exchange servers.
Behinder is another web shell tool commonly used in cyberattacks, which also
recently used in attacks by China state-sponsored threat group APT41, also known as Winnti, against Japanese critical infrastructure organizations.
Once these web shells were in place, the UAT-6382 attackers enumerated directories on the victim server to identify files of interest and stage these files within the directories containing the web shells, to prepare them for exfiltration. The multiple backdoors were downloaded and deployed using PowerShell commands.
Custom Rust-based loader injects VShell RAT stager, Cobalt Strike beacons
Cisco Talos researchers also discovered the use of a novel loader, dubbed TetraLoader, which was built using a publicly available malware building framework known as MaLoader. MaLoader allows shellcode and other payloads to be wrapped in a Rust-based binary.
This simple loader decoded its embedded payloads and ultimately injected them into benign system processes for stealthy activation. The two payloads observed by Cisco Talos were a stager for the Golang-based VShell remote access trojan (RAT) and Cobalt Strike beacons used to communicate with command-and-control (C2) servers.
Once the stager retrieves the VShell RAT from a hardcoded C2 server address, the RAT enables the attacker to perform tasks such as managing files, taking screenshots, executing arbitrary commands and running Network Policy Server (NPS) based proxies, according to Cisco Talos.
The VShell RAT has been used in several other campaigns by China state-sponsored threat actors, including
recent exploitations of a critical SAP NetWeaver vulnerability targeting U.S., UK and Saudi Arabian organizations.
In its advisory on CVE-2025-0994, Trimble not only urged customers to update the latest software versions but also noted that “ISS should not be run with local or domain level administrative privileges on any site,” and said attachment directory root configurations should be limited to folders and subfolders that only contain attachments.
“While the intrusions mentioned in the blog have been contained, exploitation may be continuing in the wild. Use the
indicators of compromise (IOCs) listed in the blog to scan your environment,” Cisco Talos stated in
its most recent newsletter.
A Cisco representative declined to comment further when contacted by SC Media.
