Intel Name: Uat-6382 exploits cityworks zero-day vulnerability to deliver malware
Date of Scan: May 26, 2025
Impact: Medium
Summary: A Chinese-speaking threat group, tracked as UAT-6382, is exploiting a zero-day vulnerability (CVE-2025-0994) in Cityworks, a popular asset management system, to gain remote code execution. The attackers deploy web shells such as AntSword and Chopper on IIS servers. Following initial access, they use Rust-based loaders called TetraLoader, built with the MaLoader framework, to deliver Cobalt Strike and VSHell malware for persistent access.
