Cityworks Zero-Day Vulnerability Used by UAT-638 Hackers to Infect IIS Servers with Shell Malware

Cisco Talos has uncovered active exploitation of a zero-day remote-code-execution vulnerability, identified as CVE-2025-0994, in Cityworks, a widely used asset management system.

This critical flaw has been leveraged by a group tracked as UAT-6382, assessed with high confidence to be Chinese-speaking threat actors, to target enterprise networks of local governing bodies in the United States since January 2025.

The attackers have demonstrated a clear intent to infiltrate systems related to utilities management, using sophisticated tactics, techniques, and procedures (TTPs) to deploy web shells and custom malware on Internet Information Services (IIS) web servers.

Both the Cybersecurity and Infrastructure Security Agency (CISA) and Trimble, the vendor of Cityworks, have issued advisories, with Trimble providing specific indicators of compromise (IOCs) that align with Talos’s findings, underscoring the severity and overlap of these intrusions.

Chinese-Speaking Threat Actors Exploit CVE-2025-0994

Upon successful exploitation of the Cityworks vulnerability, UAT-6382 conducts initial reconnaissance using commands like ipconfig, dir, and tasklist to fingerprint compromised servers.

This is swiftly followed by the deployment of web shells such as AntSword, chinatso/Chopper, and Behinder, many of which contain Chinese-language messaging, further supporting the attribution to Chinese-speaking actors.

These web shells serve as backdoors, enabling persistent access and facilitating file enumeration and staging for exfiltration.

The threat actors also employ Rust-based loaders, dubbed “TetraLoader,” built using a Simplified Chinese malware-building framework called “MaLoader,” which emerged on GitHub in December 2024.

TetraLoader injects malicious payloads, including Cobalt Strike beacons and VShell stagers, into benign processes like notepad.exe, ensuring covert long-term access.

Rapid Deployment of Web Shells

VShell, a GoLang-based implant, offers extensive remote access capabilities, such as file management, command execution, and screenshot capture, with its command-and-control (C2) panels also featuring Chinese interfaces.

Post-compromise activities reveal a focus on pivoting to critical infrastructure, with PowerShell commands used to download additional backdoors from malicious IPs like 192.210.239.172, highlighting the advanced and targeted nature of this campaign.

According to the Report, Talos has provided detailed IOCs, including file hashes for TetraLoader and Cobalt Strike beacons, as well as network indicators such as malicious domains (e.g., cdn.lgaircon.xyz, www.roomako.com) and IP addresses.

These IOCs, hosted in Talos’s GitHub repository, are critical for organizations to detect and mitigate this threat.

Protective measures include leveraging solutions like Cisco Secure Endpoint, Secure Firewall, and Umbrella to block malicious activity and domains.

As this campaign targets sensitive infrastructure, immediate patching of Cityworks systems and vigilant monitoring for the listed IOCs are strongly advised to prevent further compromise by UAT-6382.

Indicators of compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!