A Chinese-linked threat actor is exploiting a zero-day vulnerability in Trimble Cityworks to target U.S. local government networks, using sophisticated malware and webshell tools. This ongoing threat highlights the importance of timely patching and monitoring for advanced persistent threats in critical infrastructure systems. #CVE-2025-0994 #UAT-6382
Keypoints
- A zero-day vulnerability in Trimble Cityworks (CVE-2025-0994) is being exploited by a Chinese threat group.
- The exploited flaw leads to remote code execution on Microsoft IIS web servers used by critical infrastructure services.
- The threat actor deployed webshells, Cobalt Strike, and other malware to establish persistence and conduct reconnaissance.
- Indicators show the use of a Rust-based loader called TetraLoader and a GoLang implant named VShell for remote access.
- Chinese messages and malware artifacts suggest that the group responsible is Chinese-speaking and targeting U.S. local government networks.