A Chinese-speaking threat actor, UAT-6382, exploited a now-patched vulnerability in Trimble Cityworks to deploy malware and maintain persistent access to target networks. The attacks primarily targeted local U.S. government systems, leading to reconnaissance, web shell deployment, and long-term control of compromised systems. #CVE-2025-0944 #UAT-6382
Keypoints
- UAT-6382 exploited CVE-2025-0944 to gain remote access to enterprise networks.
- The vulnerability affects Trimbleβs Cityworks asset management software and has a high CVSS score of 8.6.
- Attackers deployed web shells like AntSword, chinatso/Chopper, and Behinder during their operations.
- The threat actors used a Rust-based loader, TetraLoader, built with MaLoader, to launch Cobalt Strike and VShell tools.
- The campaigns targeted utility management systems within local U.S. government organizations since January 2025.
Read More: https://thehackernews.com/2025/05/chinese-hackers-exploit-trimble.html