- Multiple United States government agencies were attacked by Chinese computer pirates, Cisco Talos warns
- The hackers used an error in Trimble Citys
- Vulnerability was solved in February this year.
Local government organizations throughout the United States were recently attacked by a Chinese threat actor who sought to implement several web projectiles and malware loaders. This is according to cybersecurity researchers Cisco Talos, who have been tracing the attacks since the beginning of 2025.
Cisco says that the threat actors are tracked as UAT-6382 (generally abbreviation for an unknown adversary threat), and have been pointing to organizations through a zero day vulnerability in Trimble Cityworks.
TRIMBLE CITYWORKS It is an asset management of the Geographic Information System (GIS) and permissions designed to help local public services and services administer infrastructure, maintenance and operations efficiently.
In February of this year, we reported that the software was vulnerable to CVE-2025-0994, a high severity deerialization error with a gravity score of 8.6 (high). Vulnerability allowed the threat actors to perform the execution of remote code (RCE).
Cisco said the attackers used zero day to release a malware charger based on oxide that, in turn, installed beacons of Cobalt Strike and VSHELL Malware, which provided the Chinese for long -term persistent access.
Patching the fault
“Talos has found intrusions in the business networks of the local governing bodies in the United States (USA), As of January 2025, when the initial exploitation took place for the first time. Upon access, UAT-6382 expressed a clear interest in turning to the systems related to public services management,” Cisco said in his security advice.
With the established access, the attackers began to drop different web shells: concrete, chinatso/helicopters and more. All these are written in Chinese. They were also dropping a personalized charger called Tetraloader, which was written in Simplified Chinese.
As soon as the news of the zero day broke, Trimble launched a patch, taking CityWorks to versions 15.8.9 and 23.10 and mitigating the risk. He also warned about discovering some implementations in the first ones that have IIS identity permits on privileges, and added that some implementations have incorrect attachment directory configurations.
At that time, there were no reports of victims or damage, but the US infrastructure agency and cybersecurity. UU. (CISA) still published a coordinated notice, urging customers to apply patches as soon as possible. At the beginning of February, the agency added it to Kev, giving federal civil executive branch agencies a deadline to patch.
Through Bleepingcomputer
