Chinese-speaking hackers have exploited a recently patched Trimble Cityworks zero-day vulnerability to compromise various local government entities across the United States. This sophisticated cyber attack was orchestrated by the hacking group identified as UAT-6382, utilizing a Rust-based malware loader to deploy Cobalt Strike beacons and VSHell malware. The compromised systems have been backdoored, allowing persistent access for the attackers, alongside the deployment of web shells and custom tools designed in Chinese.
According to security researchers from Cisco Talos, the attacks first began in January 2025, marking a serious threat to local governing bodies. The initial intrusion was characterized by clear reconnaissance activity, which indicated the hackers’ focus on utilities management systems. Cisco Talos further noted that “the web shells contained messaging written in Chinese, and custom tooling like TetraLoader was developed using a malware-builder also written in Simplified Chinese.”
The vulnerability exploited in this incident, categorized as CVE-2025-0994, is a high-severity deserialization flaw. It permits authenticated threat actors to execute code remotely on vulnerable Microsoft Internet Information Services (IIS) servers. Trimble acknowledged the threat and issued security updates in early February 2025 to address the vulnerability, alerting customers that attackers were already attempting to exploit this flaw.
In response to the rising threat posed by these vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0994 to its catalog of actively exploited vulnerabilities on February 7, marking a new level of urgency for federal agencies. CISA ordered an immediate patching of systems within three weeks as per its Binding Operational Directive 22-01, emphasizing the significant risks that such vulnerabilities pose to the federal enterprise and the critical nature of a swift response.