A Chinese cyber espionage group has been exploiting a severe vulnerability in Trimble’s Cityworks platform to infiltrate U.S. local government systems. The flaw, known as CVE-2025-0994, carries a high severity score of 8.6 and was patched in January.
Cityworks is used by local governments and utilities to manage infrastructure. The bug, a deserialization issue, allows attackers to run remote code on Microsoft IIS servers. It requires authentication, making it a favorite for targeted attacks.
In February, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) list. They also released an alert focused on industrial control systems.
Now, Cisco Talos has revealed that a Chinese group, tracked as UAT-6382, is behind the attacks. The hackers began targeting U.S. local government networks in January, shortly before the patch was released.
Once inside, the group ran reconnaissance and deployed malware to stay hidden. They installed webshells like AntSword, Chinatso, and Behinder, then scanned folders to steal sensitive files. They also used PowerShell to drop multiple backdoors.
Talos found that the hackers used a tool called TetraLoader, built with Rust, to deliver Cobalt Strike. They also deployed VShell, a Go-based implant that allows remote access, command execution, file transfers, screen capture, and proxy control.
Evidence left in the tools points to Chinese origins. This includes Mandarin text in webshells, use of a Chinese malware builder (MaLoader), and direct keyboard activity.
While Trimble and CISA previously released indicators of compromise, they didn’t name the attacker. Talos now confirms that UAT-6382 is responsible. The group focused on systems connected to utilities and public infrastructure, likely seeking long-term access.
This campaign shows how critical software used by governments can become a gateway for foreign espionage. Local agencies using Cityworks are urged to apply the patch immediately and scan for signs of intrusion.
