- Several American government agencies have been targeted by Chinese pirates, warns Cisco Talos
- The pirates used a bug in Trimble CityWorks
- Vulnerability was set in February of this year
Local government organizations across the United States have recently been targeted by a Chinese threat player seeking to deploy various web shells and malware. It is according to Cisco Talos cybersecurity researchers who have been following attacks since the beginning of 2025.
Cisco claims that threat actors are followed as UAT-6382 (generally abstracts for an unknown opponent threat), and have targeted organizations thanks to a vulnerability of Trimble Cityworks.
Trimble CityWorks is asset management software and geographic assets (GIS) designed to help local governments and public services effectively manage infrastructure, maintenance and operations.
In February of this year, we reported that the software was vulnerable to the CVE-2025-0994, a high severity of deialization bug with a gravity score of 8.6 (high). The vulnerability has enabled threat actors to perform the distant code execution (RCE).
Cisco said that the attackers used the day zero to drop a malicious software charger based on rust which, in turn, has installed cobalt striking tags and VSHELL malware, which provided the Chinese with long -term access to the Chinese.
Post the flaw
“Talos has found intrusions in business networks of local guiding bodies in the United States (United States), from January 2025, when the initial exploitation took place for the first time. By accessing, the UAT-6382 expressed its clear interest in pivoting systems related to the management of public services,” said Cisco in its security notice.
With established access, the attackers began to drop different web shells: Atsword, Chinatso / Chopper, and more. All these elements are written in Chinese. They also abandoned a personalized charger called Tetraloader, which was written in simplified Chinese.
As soon as the news of zero-day broke, Trimble published a patch, bringing Cityworks to versions 15.8.9 and 23.10 and attenuating the risk. He also warned of discovering certain deployments on site with surprised IIS identity authorizations, and added that certain deployments of HAID attachment directory configurations.
At the time, there was no report of victims or damage, but the American Cybersecurity and Infrastructure Agency (CISA) has always published a coordinated opinion, urging customers to apply fixes as soon as possible. At the beginning of February, the agency added it to Kev, giving the federal agencies of the civil branch of the correction agencies.
Via Bleeping Compompute
