The threat involves a remote code execution (RCE) zero-day vulnerability identified as CVE-2025-0994 in Cityworks, a widely used asset management system primarily deployed by local government entities for utilities and infrastructure management. Since January 2025, a Chinese-speaking threat actor group known as UAT-6382 has been actively exploiting this vulnerability. The exploitation chain begins with the attackers leveraging the RCE flaw to gain unauthorized access to Cityworks servers. Once inside, they deploy multiple web shells, including AntSword and China Chopper variants, to maintain persistent access and facilitate further operations. The attackers utilize a custom Rust-based loader named TetraLoader to deliver advanced payloads such as Cobalt Strike beacons and VSHell malware, which are commonly used for command and control, lateral movement, and data exfiltration. Their activities include reconnaissance of the compromised environment, directory enumeration, and staging of files for exfiltration, indicating a focus on intelligence gathering and potential disruption or espionage. The tooling and operational tactics demonstrate a high level of sophistication and fluency in Chinese, strongly suggesting the threat actor’s origin. Despite the absence of publicly available patches or CVSS scoring, the exploitation of a zero-day in critical infrastructure management software combined with advanced malware deployment underscores a significant threat to targeted organizations.

For European organizations, particularly those involved in local government, utilities, and critical infrastructure management, this threat poses a substantial risk. Cityworks is used internationally, including in Europe, for asset and work management in sectors such as water, electricity, and public works. Successful exploitation could lead to unauthorized control over asset management systems, enabling attackers to disrupt utility services, manipulate operational data, or exfiltrate sensitive information. This could result in service outages, financial losses, reputational damage, and potential safety hazards for the public. Additionally, the deployment of sophisticated malware like Cobalt Strike and VSHell facilitates further lateral movement within networks, increasing the risk of widespread compromise. The threat actor’s focus on reconnaissance and staging files for exfiltration suggests espionage motives, which could impact the confidentiality of sensitive governmental and infrastructure data. Given the critical nature of utilities and local government services, the impact extends beyond IT systems to societal and economic stability.

1. Immediate network segmentation of Cityworks servers to limit lateral movement in case of compromise. 2. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting web shell activity and unusual process execution, specifically monitoring for AntSword, China Chopper, TetraLoader, and Cobalt Strike indicators. 3. Implement strict access controls and multi-factor authentication (MFA) for all administrative interfaces of Cityworks and related infrastructure. 4. Conduct thorough network traffic analysis to identify command and control communications associated with Cobalt Strike and VSHell malware, using threat intelligence feeds to update detection signatures. 5. Perform regular integrity checks on Cityworks application files and directories to detect unauthorized modifications or staging of files. 6. Establish a rapid incident response plan tailored to Cityworks environments, including offline backups and recovery procedures. 7. Engage with Cityworks vendors and monitor official channels for patches or advisories related to CVE-2025-0994, applying updates promptly once available. 8. Conduct targeted user training for IT and operational staff on recognizing phishing and social engineering tactics that could facilitate initial access or privilege escalation. 9. Utilize threat hunting exercises focusing on TTPs (tactics, techniques, and procedures) associated with UAT-6382, including reconnaissance and lateral movement patterns.