Chinese hackers exploit Trimble Cityworks flaw to infiltrate U.S. government networks

A Chinese-speaking threat actor tracked as UAT-6382 has been linked to the exploitation of a now-patched remote-code-execution vulnerability in Trimble Cityworks to deliver Cobalt Strike and VShell.

“UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance, and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access,” Cisco Talos researchers Asheer Malhotra and Brandon White said in an analysis published today. “Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utility management.”

The network security company said it observed the attacks targeting enterprise networks of local governing bodies in the United States starting January 2025.

Read more at The Hacker News