Hackers Exploit Cityworks Zero-Day Flaw to Target IIS Servers with Shell Malware

Security researchers at Cisco Talos identified active exploitation of a critical remote code execution vulnerability (CVE-2025-0994) in Trimble Cityworks, a widely deployed asset management platform.

The flaw enabled Chinese-speaking threat actors, tracked under the activity cluster “UAT-6382,” to infiltrate vulnerable Cityworks deployments particularly those maintained by U.S. local government and municipal utility organizations.

Threat Actors Leverage CVE-2025-0994

Post-exploitation, adversaries rapidly initiated reconnaissance by issuing classic system commands (e.g., ipconfig, directory enumeration), targeting the Microsoft Internet Information Services (IIS) web server underpinnings of Cityworks installations.

Attackers identified sensitive directories such as c:\inetpub\wwwroot\CityworksServer\WebSite\Assets to drop sophisticated ASP-based web shells.

Multiple variants, including AntSword, chinatso/Chopper, and Behinder, all bearing Chinese-language code artefacts, were deployed to guarantee persistent remote access.

A distinctive aspect of this campaign was the integration of Rust-based loader malware dubbed “TetraLoader.”

Developed using the MaLoader framework also authored in Simplified Chinese TetraLoader enables threat actors to encapsulate custom shellcode and payloads within a Rust binary, further complicating detection.

Talos’s high-confidence assessment links the campaign’s tactics, techniques, and procedures (TTPs) to Chinese-speaking operator groups, based on linguistic and technical analysis of the deployed tooling.

Rust-Based TetraLoader

Once access was established, UAT-6382 meticulously enumerated directories to locate files of interest, staging them in attacker-controlled locations for streamlined exfiltration.

PowerShell-based downloaders were used to fetch Rust-encoded malware backdoors (such as LVLWPH.exe, MCUCAT.exe, TJPLYT.exe, and z44.exe) from hard-coded attacker infrastructure (notably 192.210.239.172:3219).

According to Cisco Talos Report, these payloads, analyzed as TetraLoader variants, decrypted and injected Cobalt Strike beacon or VShell stager shellcode into benign system processes (e.g., notepad.exe, dllhost.exe, gpupdate.exe), thereby ensuring stealthy command-and-control (C2) operations.

The Cobalt Strike beacons exhibited minimal obfuscation, connecting over HTTPS to attacker domains including cdn.lgaircon.xyz and www.roomako.com, masquerading C2 traffic as legitimate JavaScript resource requests.

C2 instructions referenced both standard and customized network protocols, supporting persistent and flexible attacker control.

Conversely, the VShell stager implant utilized direct socket connections to a hard-coded C2 (such as 192.210.239.172:2219), receiving single-byte XOR’d payloads and supporting a broad array of remote access trojan (RAT) functions, including file management, screenshot capture, and proxy services.

Notably, the VShell control panels were predominantly rendered in Chinese, underscoring the operators’ linguistic and regional affiliations.

The systematic exploitation campaign demonstrates the significant operational maturity and adaptability of the adversary, notably in leveraging zero-day vulnerabilities and immediately pivoting to deploy custom, language-specific tools.

Security agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), have issued advisories, while affected organizations are urged to patch Cityworks instances and monitor networks for the presence of listed indicators of compromise (IOCs).

Key Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates