{"id":71180,"date":"2025-05-23T15:14:53","date_gmt":"2025-05-23T19:14:53","guid":{"rendered":"https:\/\/statescoop.com\/?p=71180"},"modified":"2025-05-23T15:14:56","modified_gmt":"2025-05-23T19:14:56","slug":"chinese-hackers-cityworks-vulnerability-malware-2025","status":"publish","type":"post","link":"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/","title":{"rendered":"Report: Chinese hackers used Cityworks vulnerability to deliver malware"},"content":{"rendered":"\n<p>Since January, Chinese-speaking hackers have launched malware attacks targeting enterprise networks of local governments by remotely exploiting a vulnerability in Trimble&#8217;s asset management software Cityworks, according to a <a href=\"https:\/\/blog.talosintelligence.com\/uat-6382-exploits-cityworks-vulnerability\/\">report<\/a> published Thursday by Cisco Talos.<\/p>\n\n\n\n<p>The hackers, who have executed a collection of actions that are being tracked under the identifier UAT-6382, exploited a vulnerability in the Cityworks software that is now patched to execute &#8220;intrusions in enterprise networks of local governing bodies in the United States,&#8221; the report said.\u00a0<\/p>\n\n\n\n<p>Back in February, the Cybersecurity and Infrastructure Security Agency issued an <a href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-25-037-04\">advisory<\/a> about the <a href=\"https:\/\/statescoop.com\/cisa-issues-advisory-trimble-cityworks-software\/\">security vulnerability in Cityworks<\/a> \u2014 which is being tracked as <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-0994\">CVE-2025-0994<\/a> \u2014 stating that bad actors could gain administrative access through a customer\u2019s Internet Information Services, or IIS, a Microsoft web server often used for hosting websites, applications and services on Windows.<\/p>\n\n\n\n<p>The Environmental Protection Agency also issued an <a href=\"https:\/\/www.epa.gov\/system\/files\/documents\/2025-02\/epa-ow-cybersecurity-alert_cityworks_2_10_2025_508c.pdf?utm_medium=email\">alert<\/a> in February to inform water and wastewater system owners and operators of cyber incidents involving Cityworks software, urging them to install patches and updates to their systems that run on the software immediately.<\/p>\n\n\n\n<p>&#8220;UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access,&#8221; the Talos report said. &#8220;Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utilities management.&#8221;<\/p>\n\n\n\n<p>Trimble&#8217;s Cityworks software is GIS-based, and it is used by numerous local governments, utilities organizations and public agencies across the country to manage their infrastructure and community services.<\/p>\n\n\n\n<p>Using remote execution, the threat actors exploited the vulnerability and deployed platform attack tools like <a href=\"https:\/\/www.csoonline.com\/article\/574143\/here-is-why-you-should-have-cobalt-strike-detection-in-place.html\">Cobalt Strike<\/a> and VShell to conduct reconnaissance on systems, according to the Talos report. From there, the bad actors were able to identify and fingerprint the server, and then they utilized malicious web shells that are commonly used by Chinese-based hacking groups.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The bad actors have exploited the vulnerability since January, delivering malware to local governments and utilities groups.<\/p>\n","protected":false},"author":133,"featured_media":19369,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"disable_grayscale_images":true,"grayscale_contrast":0,"sponsored_content":false,"display_author_bio":true,"story_type":"","footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[4675,4676,20646],"tags":[4,12,209,262,16536,25333,25403,25404],"people":[],"special-report":[],"authors":[23807],"class_list":["post-71180","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-county-local","category-city","category-cybersecurity","tag-tech-news","tag-state-local-news","tag-critical-infrastructure","tag-malware","tag-cybersecurity","tag-critical-infrastructure-cybersecurity","tag-cityworks","tag-trimble","author-kquinlan"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v24.5 (Yoast SEO v24.5) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Report: Chinese hackers used Cityworks vulnerability to deliver malware | StateScoop<\/title>\n<meta name=\"description\" content=\"The bad actors have exploited the vulnerability since January, delivering malware to local governments and utilities groups.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Report: Chinese hackers used Cityworks vulnerability to deliver malware | StateScoop\" \/>\n<meta property=\"og:description\" content=\"The bad actors have exploited the vulnerability since January, delivering malware to local governments and utilities groups.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/\" \/>\n<meta property=\"og:site_name\" content=\"StateScoop\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/StateScoop\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-23T19:14:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-23T19:14:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2018\/09\/fireeye-sep-2018-tech-brief-Header.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Keely Quinlan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@State_Scoop\" \/>\n<meta name=\"twitter:site\" content=\"@State_Scoop\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/\",\"url\":\"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/\",\"name\":\"Report: Chinese hackers used Cityworks vulnerability to deliver malware | StateScoop\",\"isPartOf\":{\"@id\":\"https:\/\/statescoop.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2018\/09\/fireeye-sep-2018-tech-brief-Header.jpg\",\"datePublished\":\"2025-05-23T19:14:53+00:00\",\"dateModified\":\"2025-05-23T19:14:56+00:00\",\"description\":\"The bad actors have exploited the vulnerability since January, delivering malware to local governments and utilities groups.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/#primaryimage\",\"url\":\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2018\/09\/fireeye-sep-2018-tech-brief-Header.jpg\",\"contentUrl\":\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2018\/09\/fireeye-sep-2018-tech-brief-Header.jpg\",\"width\":1920,\"height\":1080,\"caption\":\"(StateScoop)\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/statescoop.com\/#website\",\"url\":\"https:\/\/statescoop.com\/\",\"name\":\"StateScoop\",\"description\":\"Latest news and events in state and local government technology\",\"publisher\":{\"@id\":\"https:\/\/statescoop.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/statescoop.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/statescoop.com\/#organization\",\"name\":\"StateScoop\",\"url\":\"https:\/\/statescoop.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/statescoop.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2023\/01\/StateScoop-Black.png\",\"contentUrl\":\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2023\/01\/StateScoop-Black.png\",\"width\":1470,\"height\":186,\"caption\":\"StateScoop\"},\"image\":{\"@id\":\"https:\/\/statescoop.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/StateScoop\/\",\"https:\/\/x.com\/State_Scoop\",\"https:\/\/www.linkedin.com\/company\/statescoop\/\",\"https:\/\/www.youtube.com\/@StateScoop\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Report: Chinese hackers used Cityworks vulnerability to deliver malware | StateScoop","description":"The bad actors have exploited the vulnerability since January, delivering malware to local governments and utilities groups.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/","og_locale":"en_US","og_type":"article","og_title":"Report: Chinese hackers used Cityworks vulnerability to deliver malware | StateScoop","og_description":"The bad actors have exploited the vulnerability since January, delivering malware to local governments and utilities groups.","og_url":"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/","og_site_name":"StateScoop","article_publisher":"https:\/\/www.facebook.com\/StateScoop\/","article_published_time":"2025-05-23T19:14:53+00:00","article_modified_time":"2025-05-23T19:14:56+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2018\/09\/fireeye-sep-2018-tech-brief-Header.jpg","type":"image\/jpeg"}],"author":"Keely Quinlan","twitter_card":"summary_large_image","twitter_creator":"@State_Scoop","twitter_site":"@State_Scoop","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/","url":"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/","name":"Report: Chinese hackers used Cityworks vulnerability to deliver malware | StateScoop","isPartOf":{"@id":"https:\/\/statescoop.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/#primaryimage"},"image":{"@id":"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/#primaryimage"},"thumbnailUrl":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2018\/09\/fireeye-sep-2018-tech-brief-Header.jpg","datePublished":"2025-05-23T19:14:53+00:00","dateModified":"2025-05-23T19:14:56+00:00","description":"The bad actors have exploited the vulnerability since January, delivering malware to local governments and utilities groups.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/#primaryimage","url":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2018\/09\/fireeye-sep-2018-tech-brief-Header.jpg","contentUrl":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2018\/09\/fireeye-sep-2018-tech-brief-Header.jpg","width":1920,"height":1080,"caption":"(StateScoop)"},{"@type":"WebSite","@id":"https:\/\/statescoop.com\/#website","url":"https:\/\/statescoop.com\/","name":"StateScoop","description":"Latest news and events in state and local government technology","publisher":{"@id":"https:\/\/statescoop.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/statescoop.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/statescoop.com\/#organization","name":"StateScoop","url":"https:\/\/statescoop.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/statescoop.com\/#\/schema\/logo\/image\/","url":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2023\/01\/StateScoop-Black.png","contentUrl":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2023\/01\/StateScoop-Black.png","width":1470,"height":186,"caption":"StateScoop"},"image":{"@id":"https:\/\/statescoop.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/StateScoop\/","https:\/\/x.com\/State_Scoop","https:\/\/www.linkedin.com\/company\/statescoop\/","https:\/\/www.youtube.com\/@StateScoop"]}]}},"parsely":{"version":"1.1.0","canonical_url":"https:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/","smart_links":{"inbound":0,"outbound":0},"traffic_boost_suggestions_count":0,"meta":{"@context":"https:\/\/schema.org","@type":"NewsArticle","headline":"Report: Chinese hackers used Cityworks vulnerability to deliver malware","url":"http:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/","mainEntityOfPage":{"@type":"WebPage","@id":"http:\/\/statescoop.com\/chinese-hackers-cityworks-vulnerability-malware-2025\/"},"thumbnailUrl":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2018\/09\/fireeye-sep-2018-tech-brief-Header.jpg?w=150&h=150&crop=1","image":{"@type":"ImageObject","url":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2018\/09\/fireeye-sep-2018-tech-brief-Header.jpg"},"articleSection":"County &amp; Local","author":[{"@type":"Person","name":"Keely Quinlan","url":"https:\/\/statescoop.com\/author\/kquinlan\/"}],"creator":["Keely Quinlan"],"publisher":{"@type":"Organization","name":"StateScoop","logo":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2023\/01\/cropped-ss_favicon.png"},"keywords":["cityworks","critical infrastructure","critical infrastructure cybersecurity","cybersecurity","malware","state &amp; local news","tech news","trimble"],"dateCreated":"2025-05-23T19:14:53Z","datePublished":"2025-05-23T19:14:53Z","dateModified":"2025-05-23T19:14:56Z"},"rendered":"<script type=\"application\/ld+json\" class=\"wp-parsely-metadata\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@type\":\"NewsArticle\",\"headline\":\"Report: Chinese hackers used Cityworks vulnerability to deliver malware\",\"url\":\"http:\\\/\\\/statescoop.com\\\/chinese-hackers-cityworks-vulnerability-malware-2025\\\/\",\"mainEntityOfPage\":{\"@type\":\"WebPage\",\"@id\":\"http:\\\/\\\/statescoop.com\\\/chinese-hackers-cityworks-vulnerability-malware-2025\\\/\"},\"thumbnailUrl\":\"https:\\\/\\\/statescoop.com\\\/wp-content\\\/uploads\\\/sites\\\/6\\\/2018\\\/09\\\/fireeye-sep-2018-tech-brief-Header.jpg?w=150&h=150&crop=1\",\"image\":{\"@type\":\"ImageObject\",\"url\":\"https:\\\/\\\/statescoop.com\\\/wp-content\\\/uploads\\\/sites\\\/6\\\/2018\\\/09\\\/fireeye-sep-2018-tech-brief-Header.jpg\"},\"articleSection\":\"County &amp; Local\",\"author\":[{\"@type\":\"Person\",\"name\":\"Keely Quinlan\",\"url\":\"https:\\\/\\\/statescoop.com\\\/author\\\/kquinlan\\\/\"}],\"creator\":[\"Keely Quinlan\"],\"publisher\":{\"@type\":\"Organization\",\"name\":\"StateScoop\",\"logo\":\"https:\\\/\\\/statescoop.com\\\/wp-content\\\/uploads\\\/sites\\\/6\\\/2023\\\/01\\\/cropped-ss_favicon.png\"},\"keywords\":[\"cityworks\",\"critical infrastructure\",\"critical infrastructure cybersecurity\",\"cybersecurity\",\"malware\",\"state &amp; local news\",\"tech news\",\"trimble\"],\"dateCreated\":\"2025-05-23T19:14:53Z\",\"datePublished\":\"2025-05-23T19:14:53Z\",\"dateModified\":\"2025-05-23T19:14:56Z\"}<\/script>","tracker_url":"https:\/\/cdn.parsely.com\/keys\/statescoop.com\/p.js"},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2018\/09\/fireeye-sep-2018-tech-brief-Header.jpg","distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"StateScoop","distributor_original_site_url":"https:\/\/statescoop.com","push-errors":false,"_links":{"self":[{"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/posts\/71180","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/users\/133"}],"replies":[{"embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/comments?post=71180"}],"version-history":[{"count":4,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/posts\/71180\/revisions"}],"predecessor-version":[{"id":71184,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/posts\/71180\/revisions\/71184"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/media\/19369"}],"wp:attachment":[{"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/media?parent=71180"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/categories?post=71180"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/tags?post=71180"},{"taxonomy":"people","embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/people?post=71180"},{"taxonomy":"special-report","embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/special-report?post=71180"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/authors?post=71180"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}