A sophisticated Chinese hacking campaign has been actively targeting U.S. utilities and local government networks since January 2025, exploiting a critical vulnerability in widely-deployed infrastructure management software.
The attacks, attributed to Chinese-speaking group UAT-6382, utilized a zero-day vulnerability in Trimble Cityworks, a platform extensively used for managing public assets and utilities across American municipalities. The threat actor’s high-severity vulnerability enabled complete system compromise without physical access.
The vulnerability, designated as CVE-2025-0994 and rated 8.6 under CVSS v4, allows remote code execution through the deserialization of untrusted data on IIS servers. In spite of Trimble’s release of a patch in early February, intrusions continued because numerous systems remained unpatched, leaving organizations exposed to potential compromise of both operational and administrative networks.
The attackers employed a multi-stage attack chain, beginning with reconnaissance to identify vulnerable servers before deploying an arsenal of sophisticated tools. Their toolkit included custom Rust-based TetraLoader malware, Cobalt Strike signals for maintaining persistence, and various web shells such as AntSword and Behinder, all containing telltale markers of Chinese origin including comments and code written in Simplified Chinese.
Post-exploitation activities revealed a systematic approach to data collection and network infiltration. The threat actors conducted extensive directory enumeration to locate sensitive files, particularly targeting systems related to utilities management, permitting, and licensing. The group maintained persistent access using VShell backdoor access while moving through compromised networks.
The integration of Cityworks with Geographic Information Systems made it an especially valuable target for the attackers, who staged identified files in controlled locations for exfiltration.
The campaign’s focus on municipal networks and critical infrastructure providers highlights a concerning pattern of state-sponsored cyber operations targeting U.S. utility sectors.
The attackers demonstrated sophisticated tactical capabilities, moving laterally from compromised Cityworks servers to other utility management assets as they established persistent access for long-term exploitation.
The presence of TetraLoader, built using the MaLoader framework first seen in Chinese repositories in December 2024, further strengthens attribution to Chinese state-sponsored actors.
