A sophisticated threat group identified as UAT-6382 is exploiting a zero-day vulnerability in Cityworks, an asset management platform widely used by local governments across the United States.
The vulnerability, listed as CVE-2025-0994, allows attackers to execute code remotely. Exploitation began as early as January 2025 and has mainly targeted infrastructure-related systems, raising serious concerns about the security of public utilities.
Critical Flaw in Cityworks
The exploit focuses on Cityworks applications running on Microsoft IIS servers. Once attackers gain access, they deploy web shells and custom malware to maintain long-term control of the system.
Victims include multiple local government bodies, with attackers quickly shifting to systems storing critical infrastructure data.
According to Cisco Talos, this campaign is highly likely to be linked to Chinese-speaking actors, based on their tools and methods. Web shells used in the attacks include messages in Chinese, and a malware builder called MaLoader—written entirely in Simplified Chinese—was used to create the payloads.
Attack Methodology
The attack starts with exploitation of the Cityworks vulnerability. After gaining access, hackers run basic commands to map out the server. They then deploy web shells like AntSword and Chopper, which give them continued access and enable data exfiltration.
TetraLoader: Rust-Based Payload Delivery
A key feature of this campaign is the use of a Rust-based loader named TetraLoader. This tool is responsible for delivering advanced malware, including Cobalt Strike and a backdoor known as VSHell.
TetraLoader is built using the MaLoader framework, first released on GitHub in December 2024. It works by decoding an embedded payload and injecting it into trusted processes like notepad.exe.
The following assembly code snippet demonstrates how the VSHell stager processes commands:
loc_7FF6072D6411:
xor r8d, r8d
test eax, eax
jz short loc_7FF6072D6428
loc_7FF6072D6418:
lea ecx, [r8+rsi]
add r8d, r14d
xor byte ptr [rcx+rdi], 99h
cmp r8d, eax
jb short loc_7FF6072D6418
Capabilities of VSHell
Written in GoLang, VSHell offers a wide range of remote access functions. These include:
- File upload and download
- Command execution
- Screenshot capture
- Network proxying
The malware’s command-and-control interface mainly uses Chinese, with minimal English support—further suggesting the attackers are Chinese-speaking operators.
Impact and Concerns
This campaign highlights the growing risks to critical infrastructure from state-linked cyber threat groups. With tools like TetraLoader and VSHell, attackers can silently maintain access to sensitive government systems, making detection and response more difficult.
