Related Posts
- Advertisement -
- Several US government agencies were the target of Chinese hackers, Cisco Talos warns
- The Hackers used a bug in Trimble CityWorks
- The vulnerability was resolved in February of this year
Local government organizations in the United States were recently the target of a Chinese threat actor who wanted to use different web scales and malware chargers. According to CyberSecurity researchers, this is Cisco Talos, who have been following the attacks since the beginning of 2025.
Cisco says that the threat actors are followed as UAT-6382 (usually shortly for unknown opponents), and focuses on organizations through a zero-day vulnerability in Trimble CityWorks.
Trimble CityWorks is a geographical information system (GIS) assets management and permit software that is designed to help local governments and tools in efficiently managed for infrastructure, maintenance and activities.
In February of this year we reported that the software was vulnerable to CVE-2025-0994, a high-serious deserialization bug with a serious score of 8.6 (high). The vulnerability enabled threat actors to perform external code version (RCE).
Cisco said that the attackers used the Zero-Day to drop a rust-based malware charger that in turn installed cobalt strip and VSHELL malware, which offer the Chinese persistent access in the long term.
Patching
“Talos has found intruders in company networks of local administrative bodies in the United States (US), from January 2025 when the first exploitation took place for the first time. When gaining access, UAT-6382 showed a clear interest in running systems related to utilities,” Cisco said in his security advice.
With access to the attackers, the attackers started to drop different web dishes: Antsword, Chinatso/Chopper and more. All these are written in Chinese. They also dropped a modified charger called Tetraloader, who was written in simplified Chinese.
As soon as the news about the Zero-Day broke, Trimble released a patch, causing CityWorks to versions 15.8.9 and 23.10 and soothes the risk. It also warned about discovering some on-promotation implementations with over-prepared IIS identity rights, and added that some implementations have an incorrect configurations of the appendices folder.
At the time there were no reports of victims or damage, but the American cyber security and infrastructure agency (CISA) still released coordinated advice, whereby customers encouraged to apply the patches as quickly as possible. At the beginning of February, the agency added to KEV, giving federal civil executive branch agencies a deadline for patch.
Maybe you like it too
- Advertisement -
