Exploits Cityworks zero-day vulnerability to deliver malware
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
Chinese-speaking threat actors, dubbed UAT-6382, have been exploiting a remote-code-execution vulnerability (CVE-2025-0994) in Cityworks, a popular asset management system. The attacks, which began in January 2025, target local governing bodies in the United States, focusing on utilities management systems. The threat actors deploy various web shells, including AntSword and Chopper, and use custom Rust-based loaders called TetraLoader to deliver Cobalt Strike beacons and VSHell malware. The attackers conduct reconnaissance, enumerate directories, and stage files for exfiltration. Their tooling and tactics indicate a high level of proficiency in the Chinese language, suggesting a Chinese origin for the threat group.
OPENCTI LABELS :
cobalt strike,exploitation,china chopper,chinese threat actors,vshell,cve-2025-0994,web shells,antsword,tetraloader,cityworks
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Exploits Cityworks zero-day vulnerability to deliver malware