Verticals Targeted: Government, Utilities
Regions Targeted: US
Related Families: TetraLoader, Cobalt Strike, VShell, AntSword, chinatso/Chopper, Behinder
Executive Summary
UAT-6382, a Chinese-speaking threat actor, was observed exploiting a zero-day vulnerability (CVE-2025-0994) in Cityworks to deploy sophisticated malware, targeting U.S. local government networks since January 2025. The campaign focuses on utilities management systems, using Rust-based loaders and web shells for persistent access and data exfiltration.
Key Takeaways
- UAT-6382 exploits CVE-2025-0994, a remote code execution flaw in Cityworks, to gain initial access to Microsoft IIS servers.
- The threat actor deploys TetraLoader, a Rust-based loader built with the MaLoader framework, to deliver Cobalt Strike and VShell malware.
- Web shells like AntSword and chinatso/Chopper, containing Chinese-language messaging, facilitate persistence and file staging.
- Attacks target U.S. local government networks, with a focus on utilities management systems, observed since January 2025.
The Activity
Cisco Talos has uncovered a sophisticated campaign by UAT-6382, a Chinese-speaking threat actor, exploiting a zero-day vulnerability in Cityworks, a widely used asset management platform. Tracked as CVE-2025-0994, this remote code execution (RCE) flaw, with a CVSS score of 8.6, targets Microsoft Internet Information Services (IIS) servers running Cityworks versions prior to 15.8.9. Since January 2025, UAT-6382 has focused on U.S. local government networks, particularly those managing utilities, deploying advanced malware to maintain long-term access and stage data for exfiltration.
The attack chain begins with exploitation of CVE-2025-0994, allowing unauthenticated RCE. UAT-6382 conducts rapid reconnaissance using commands like `ipconfig`, `dir`, and `tasklist` to fingerprint compromised servers. Within minutes, the actors deploy web shells, including AntSword, chinatso/Chopper, and Behinder, many featuring Chinese-language messaging, reinforcing attribution to Chinese-speaking operators. These web shells enable persistent access, file enumeration, and staging in directories like `c:\inetpub\wwwroot\CityworksServer\Uploads\` for exfiltration.
A key component of the campaign is TetraLoader, a Rust-based loader built using the MaLoader framework, which emerged on GitHub in December 2024. Written in Simplified Chinese, MaLoader allows operators to wrap shellcode into Rust binaries. TetraLoader injects payloads, such as Cobalt Strike beacons and VShell stagers, into benign processes like `notepad.exe`. VShell, a GoLang-based implant, communicates with hardcoded command-and-control (C2) servers, using rudimentary socket APIs. It supports file management, command execution, screenshot capture, and proxy capabilities, ensuring robust remote access.
UAT-6382 also leverages PowerShell to deploy backdoors, enhancing persistence. The actors’ focus on utilities management systems suggests a strategic intent to compromise critical infrastructure. Talos observed intrusions in U.S. municipal networks, with Trimble and CISA issuing advisories aligning with these findings. Trimble’s patch in Cityworks 15.8.9 addresses the vulnerability, and organizations are urged to update immediately.
The campaign’s sophistication lies in its rapid execution and layered malware deployment. TetraLoader’s use of Rust, combined with MaLoader’s accessibility, highlights the evolving threat landscape, where open-source tools empower advanced attacks. VShell’s memory-resident execution and Cobalt Strike’s versatility further complicate detection.
IOCs
PolySwarm has a sample associated with this activity.
4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9
You can use the following CLI command to search for all related samples in our portal:
$ polyswarm link list -f TetraLoader
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
