Chinese Hackers Exploit US Government with Zero-Day Vulnerability: A Comedy of Cyber Errors
A Chinese-linked threat actor, UAT-6382, exploited a Trimble Cityworks zero-day vulnerability (CVE-2025-0994) in US local government attacks, Cisco Talos reports. The flaw, patched in January, allows remote code execution on Microsoft IIS servers. Despite the serious threat, the attackers also left behind a trail of digital fortune cookies… in Mandarin.
Hot Take:
When it comes to hacking, this Chinese threat actor is turning local government entities into their personal playground. Armed with zero-day vulnerabilities and a bag of malware tricks, they’ve been playing a high-stakes game of cyber limbo. How low can they go? Apparently, straight to the heart of critical infrastructure!
Key Points:
- Trimble Cityworks zero-day vulnerability exploited by China-linked group UAT-6382.
- Vulnerability CVE-2025-0994 allows remote code execution on IIS web servers.
- Exploits target local government entities in the US, focusing on infrastructure management.
- UAT-6382 uses advanced malware, including Cobalt Strike, AntSword, and custom loaders.
- Evidence suggests UAT-6382 is a Chinese-speaking group with direct ties to this exploit.
Zero-Day? More Like Zero-Tolerance for Security!
In the wild world of cybersecurity, zero-day vulnerabilities are like the sneaky backdoors that hackers can’t resist. This time, the spotlight is on Trimble Cityworks, where a deserialization flaw, tracked as CVE-2025-0994, is causing quite the ruckus. With a CVSS score of 8.6, this little bugger allows malicious minds to execute remote code on Microsoft IIS web servers. Essentially, it’s like giving hackers the keys to the city—literally! This vulnerability was patched in January, but not before causing a stir among local government entities, who rely on Cityworks to manage critical infrastructure. Talk about a security slip-up that could’ve used a little more TLC—or perhaps a little less RCE (remote code execution)!
China’s Cyber Gymnastics: Flipping Zero-Day Exploits
Enter UAT-6382, a threat actor with a flair for the dramatic and a penchant for digital espionage. According to Cisco Talos, this group has been twirling around the Cityworks vulnerability since January 2025, targeting US local governing bodies with the grace of a cyber acrobat. Their routine includes reconnaissance, deploying webshells, and, of course, a dash of malware for persistence. This Chinese-speaking troupe is even rumored to have used TetraLoader, a Rust-based creation, to fetch and execute Cobalt Strike beacons. Talk about a performance worthy of a standing ovation—or perhaps a standing firewall!
The Malware Menagerie: A Peek Behind the Digital Curtain
The hacks orchestrated by UAT-6382 are nothing short of a digital circus, featuring a menagerie of malware and techniques that would make any cybersecurity professional sweat. From AntSword webshells to the Chinatso and Behinder variants, the group has been deploying backdoors with the precision of a lion tamer. Their antics also include the use of PowerShell to set up camp within systems, as well as the creation of various file uploaders to exfiltrate data. It’s a veritable malware zoo out there, folks, and UAT-6382 is the zookeeper with a master plan.
Unmasking the Culprits: A Clue-Laden Trail
While neither Trimble nor CISA initially pointed fingers, Cisco Talos wasn’t shy about calling out UAT-6382 as the masterminds behind the chaos. With Chinese messages in the webshells, the use of MaLoader to create TetraLoader, and hands-on-keyboard activity, the evidence pointed squarely at a Chinese-speaking group. It’s like leaving breadcrumbs at a crime scene, except these breadcrumbs are digital artifacts that scream, “We’re here, and we speak Mandarin!” It seems that UAT-6382 has left an indelible mark on the cybersecurity landscape, reminding us all that the battle against cyber threats is far from over.