- Several US Public Agencies were targeted by Chinese Hackers, Cisco Talos warns
- The hackers used an error in Trimble CityWorks
- The vulnerability was determined in February this year
Local government organizations across the United States were recently targeted by a Chinese threat actor who wants to implement various web shells and malware loaders. This is according to cybersecurity scientists Cisco Talos, who have traced the attacks since the beginning of 2025.
Cisco says the threat actors are traced as UAT-6382 (usually short to Unknown opponent’s threat) and has targeted organizations through a zero-day vulnerability in Trimble CityWorks.
Trimble CityWorks is a geographical information system)
In February of this year, we reported that the software was vulnerable to CVE-2025-0994, a Deserialization error with high severity with a severity of 8.6 (high). Vulnerability allowed threat actors to perform Remote Code Execution (RCE).
Cisco said attackers spent zero-day dropping a rust-based malware loader, which in turn installed Cobalt Strike Beacons and Vshell Malware, which gave the Chinese long-lasting, sustained access.
Patching of the error
“Talos has found entry into corporate networks of local governing bodies in the United States (USA), early January 2025, when the first exploitation first took place. When he gained access, Uat-6382 expressed a clear interest in turning to systems related to supply management,” Cisco said in his security advice.
With access established, the striker began dropping different web shells: Antsword, Chinatso/Chopper and more. All of these are written in Chinese. They also dropped a custom loader called Tetraloader, which was written in Simplified Chinese.
As soon as the news of the zero-day broke, Trimble released a patch and brought Cityworks to versions 15.8.9 and 23.10 and reduced the risk. It also warned about discovering some on-prema implementations that had overprivileged IIS identity permits, adding that some implementations have wrong wrong catalog configurations.
At that time, there were no reports of victims or injuries, but US cyber security and infrastructure agency (CISA) still released a coordinated advice that called on customers to use patches as soon as possible. In early February, the Agency added it to KEV, giving the federal civilian executive branch agents a deadline for Patch.
Via Bleeping computer
