A Chinese-speaking threat group, UAT-6382, is exploiting a zero-day in Cityworks to gain remote access and persistently control vulnerable systems in U.S. local government and utility networks. The group deploys sophisticated malware and web shells, with possible motives linked to state interests. #UAT-6382 #CityworksCVE2025-0994
Keypoints
- The threat actor UAT-6382 is actively exploiting a zero-day vulnerability in Cityworks, a platform used by local authorities and utilities in the U.S.
- Post-exploitation activities include deploying Chinese-language web shells such as AntSword and Chopper for persistent access.
- The hackers utilize malware loaders like TetraLoader, which injects Cobalt Strike and VShell backdoors into Windows processes for control and data exfiltration.
- Communication with command-and-control servers employs obfuscation techniques, making detection highly challenging for defenders.
- Since early 2025, the group has targeted local government and utility systems, suggesting potential state-aligned intentions and strategic espionage.