A suspected Chinese crew has been exploiting a now-patched remote code execution (RCE) flaw in Trimble Cityworks to break into US local government networks and target utility management systems, according to Cisco’s Talos threat intelligence group.

Cityworks is an asset and work management platform that integrates closely with Geographic Information Systems (GIS), and is primarily used by local governments, utilities, airports, and public works departments.

Trimble disclosed and patched a deserialization vulnerability in Cityworks, tracked as CVE-2025-0994 and rated 8.6 under CVSS v4, in early February. At the time, the biz warned that an authenticated user could exploit it to achieve RCE on a customer’s Microsoft Internet Information Services (IIS) server. 

Less than a week later, the US Cybersecurity and Infrastructure Security Agency (CISA) said the flaw was under active exploitation – apparently there are still enough IIS instances in the wild to make it worth exploiting, even though Microsoft hasn’t released a major new version since 2018.

But according to Talos, attackers found and abused the bug even before the vendor issued a patch. 

These intrusions began in January with a group Talos tracks, UAT-6382, breaking into US local governing bodies’ networks to conduct reconnaissance, snoop around for files of interest, and deploy webshells and custom malware for long-term access.

“Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utilities management,” Talos researchers Asheer Malhotra and Brandon White said on Thursday.

The webshells include AntSword, chinatso/Chopper, both widely used by Chinese-speaking threat actors, plus generic file uploaders with messages written in Chinese. The group also deployed a custom Rust-based loader called TetraLoader, generated using MaLoader – a malware-building framework written in Chinese. 

MaLoader, which surfaced on GitHub in December 2024, allows attackers to wrap shellcode into Rust binaries.

In these attacks, UAT-6382 used TetraLoader to deploy Cobalt Strike and VShell, a Go-based remote access tool, on the infected endpoints to maintain access to the compromised systems.

“Based on the nature of this tooling, TTPs, hands-on-keyboard activity and victimology, Talos assesses with high confidence that UAT-6382 is a Chinese-speaking threat actor,” Malhotra and White note.

The Register asked Talos for additional information about the scope of the exploitation, specific targets, and if the attacks remained ongoing, but the threat hunting team told us they weren’t sharing any additional information at this time.

Trimble did not immediately respond to The Register‘s inquiries. We will update this story if and when we receive answers to our questions. ®