Chinese-speaking threat actors, dubbed UAT-6382, have been exploiting a remote-code-execution vulnerability (CVE-2025-0994) in Cityworks, a popular asset management system. The attacks, which began in January 2025, target local governing bodies in the United States, focusing on utilities management systems. The threat actors deploy various web shells, including AntSword and Chopper, and use custom Rust-based loaders called TetraLoader to deliver Cobalt Strike beacons and VSHell malware. The attackers conduct reconnaissance, enumerate directories, and stage files for exfiltration. Their tooling and tactics indicate a high level of proficiency in the Chinese language, suggesting a Chinese origin for the threat group. Author: AlienVault
Related Tags:
cve-2025-0994
chinese threat actors
VSHell
TetraLoader
China Chopper – S0020
AntSword
web shells
china chopper
Cobalt Strike – S0154
Associated Indicators:
1DE72C03927BCD2810CE98205FF871EF1EBF4344FBA187E126E50CAA1E43250B
1C38E3CDA8AC6D79D9DA40834367697A209C6B07E6B3AB93B3A4F375B161A901
4FFC33BDC8527A2E8CB87E49CDC16C3B1480DFC135E507D552F581A67D1850A9
C02D50D0EB3974818091B8DD91A8BBB8CDEFD94D4568A4AEA8E1DCDD8869F738
EDE9704D231F2950A65E272362C6F3CC82521E5C
E760717E7EEE446480DC7947B2A0751A0BC1F651
7002B9E747B3D92D6D52F291E911A7FC
E80EB9D5ACCD75020F311400FAEFDC58
00C96A736D29C55E29C5E3291AEDB0FD