Exploits Cityworks zero-day vulnerability to deliver malware
May 22, 2025, 3:07 p.m.
Description
Chinese-speaking threat actors, dubbed UAT-6382, have been exploiting a remote-code-execution vulnerability (CVE-2025-0994) in Cityworks, a popular asset management system. The attacks, which began in January 2025, target local governing bodies in the United States, focusing on utilities management systems. The threat actors deploy various web shells, including AntSword and Chopper, and use custom Rust-based loaders called TetraLoader to deliver Cobalt Strike beacons and VSHell malware. The attackers conduct reconnaissance, enumerate directories, and stage files for exfiltration. Their tooling and tactics indicate a high level of proficiency in the Chinese language, suggesting a Chinese origin for the threat group.
Tags
Date
- Created: May 22, 2025, 2:44 p.m.
- Published: May 22, 2025, 2:44 p.m.
- Modified: May 22, 2025, 3:07 p.m.
Indicators
- c02d50d0eb3974818091b8dd91a8bbb8cdefd94d4568a4aea8e1dcdd8869f738
- 1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901
- 14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f
- 4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9
- 1de72c03927bcd2810ce98205ff871ef1ebf4344fba187e126e50caa1e43250b
- 192.210.239.172
- www.roomako.com
- https://www.roomako.com/jquery-3.3.1.min.js
- https://lgaircon.xyz/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2
- https://cdn.lgaircon.xyz/jquery-3.3.1.min.js
- http://cdn.phototagx.com/
- http://192.210.239.172:3219/z44.exe
- http://192.210.239.172:3219/TJPLYT.exe
- http://192.210.239.172:3219/MCUCAT.exe
- http://192.210.239.172:3219/LVLWPH.exe
- lgaircon.xyz
- cdn.lgaircon.xyz
- cdn.phototagx.com
Additional Informations
- Government
- United States of America