216.73.217.22

Exploits Cityworks zero-day vulnerability to deliver malware

· Published 22/05/2025 14:44 · Modified 22/05/2025 15:07

Export JSON

Essential information

Published
22/05/2025 14:44
Modified
22/05/2025 15:07
Tags
2025-05-22 CVE-2025-0994 antsword china chopper chinese threat actors cityworks cobalt strike exploitation tetraloader vshell web shells
Related entities
1 vulnerabilities (cve), 18 observables, 1 intrusion sets (apt), 19 techniques (mitre), 5 malware, 2 others

Description

Chinese-speaking threat actors, dubbed UAT-6382, have been exploiting a remote-code-execution vulnerability () in , a popular asset management system. The attacks, which began in January 2025, target local governing bodies in the United States, focusing on utilities management systems. The threat actors deploy various , including and Chopper, and use custom Rust-based loaders called to deliver beacons and malware. The attackers conduct reconnaissance, enumerate directories, and stage files for exfiltration. Their tooling and tactics indicate a high level of proficiency in the Chinese language, suggesting a Chinese origin for the threat group.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (1)

CVE-2025-0944
6.3 Medium

A vulnerability was found in itsourcecode Tailoring Management System 1.0. It has been rated as critical. This issue affects some unknown processing …

Attack vector
NETWORK
Published
01/02/2025
Modified
21/12/2025
Analyzed

Observables (18)

  • 192.210.239.172
  • www.roomako.com
  • https://www.roomako.com/jquery-3.3.1.min.js
  • https://lgaircon.xyz/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2
  • https://cdn.lgaircon.xyz/jquery-3.3.1.min.js
  • http://cdn.phototagx.com/
  • http://192.210.239.172:3219/z44.exe
  • http://192.210.239.172:3219/TJPLYT.exe
  • http://192.210.239.172:3219/MCUCAT.exe
  • http://192.210.239.172:3219/LVLWPH.exe
  • lgaircon.xyz
  • cdn.lgaircon.xyz
  • cdn.phototagx.com
  • c02d50d0eb3974818091b8dd91a8bbb8cdefd94d4568a4aea8e1dcdd8869f738
  • 1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901
  • 14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f
  • 4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9
  • 1de72c03927bcd2810ce98205ff871ef1ebf4344fba187e126e50caa1e43250b

Intrusion sets (APT) (1)

  • UAT-6382
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 14:24 · Modified 21/12/2025 14:24

Techniques (MITRE) (19)

  • T1074
    Data Staged
  • T1204.002
    Malicious File
  • T1005
    Data from Local System
  • T1021
    Remote Services
  • T1573
    Encrypted Channel
  • T1016
    System Network Configuration Discovery
  • T1082
    System Information Discovery
  • T1057
    Process Discovery
  • T1105
    Ingress Tool Transfer
  • T1083
    File and Directory Discovery
  • T1071
    Application Layer Protocol
  • T1055
    Process Injection
  • T1140
    Deobfuscate/Decode Files or Information
  • T1132
    Data Encoding
  • T1033
    System Owner/User Discovery
  • T1027
    Obfuscated Files or Information
  • T1190
    Exploit Public-Facing Application
  • T1078
    Valid Accounts
  • T1059
    Command and Scripting Interpreter

Malware (5)

  • TetraLoader
    Family
    Published 22/05/2025 14:44 · Modified 22/05/2025 14:44
  • AntSword
    Family
    Published 06/03/2026 15:06 · Modified 06/03/2026 15:06
  • China Chopper - S0020
    Family
    Published 11/08/2025 15:44 · Modified 11/08/2025 15:44
  • VSHELL
    Family
    Published 05/05/2026 14:07 · Modified 05/05/2026 14:07
  • Cobalt Strike - S0154
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40

Others (2)

  • United States of America
  • Government

External references