As U.S. local governments increasingly rely on digital infrastructure to manage critical utilities and public assets, a sophisticated Chinese-speaking hacking group has exploited a zero-day vulnerability in municipal networks across multiple cities, according to cybersecurity researchers at Cisco Talos.
Chinese-speaking hackers exploited zero-day vulnerabilities targeting critical municipal infrastructure across multiple U.S. cities, researchers confirm.
The threat actor, designated UAT-6382, targeted Trimble Cityworks, a GIS-based asset and work order management tool widely deployed by American public agencies.
The breach campaign commenced in January 2025, with investigators first detecting suspicious network reconnaissance activities targeting public sector organizations. Attackers utilized the Cityworks vulnerability to establish initial footholds, thereafter deploying a Rust-based malware loader designed to install Cobalt Strike signals and VSHell backdoors throughout compromised systems.
Evidence directly linking the operation to Chinese-speaking operators emerged through forensic analysis of custom malware components. Researchers identified “TetraLoader,” built using “MaLoader,” with both tools containing code written exclusively in Simplified Chinese. Multi-factor authentication could have prevented unauthorized access to critical systems, experts noted.
Web shells including AntSword and Chopper featured Chinese-language messaging, whereas post-breach investigations consistently revealed Chinese text embedded within attack infrastructure.
The targeting strategy concentrated on local governing bodies, utilities, and public works departments across multiple American cities. Compromised Cityworks installations made possible lateral movement within municipal networks, potentially exposing sensitive infrastructure data and utility management information.
Attackers established persistent access through strategically placed web shells and remote access tools, indicating long-term intelligence collection objectives.
This operation follows established patterns of Chinese state-aligned intrusions into American government and critical infrastructure networks dating to 2023. Previous campaigns have penetrated telecommunications systems, federal departments including Treasury, and national infrastructure components.
Security analysts note these activities align with pre-positioning strategies, whereby nation-state actors embed malware within critical systems for potential activation during geopolitical tensions. The operations mirror the APT27 hacking group’s activities targeting U.S. defense contractors and government agencies from 2016 to 2023. The municipal breaches demonstrate the growing pattern of attacks targeting third-party vendor systems to gain access to government networks.
The deployment of advanced persistent threat tactics, combined with linguistic evidence and specialized tooling, supports attribution to Chinese hacker-for-hire ecosystems operating with state support.
U.S. Justice Department prosecutions have previously targeted Chinese nationals conducting similar operations under intelligence agency direction. Municipal cybersecurity vulnerabilities continue presenting attractive targets for foreign adversaries seeking access to American infrastructure networks.
