.jpg)
![[The AI Show Episode 148]: Microsoft’s Quiet AI Layoffs, US Copyright Office’s Bombshell AI Guidance, 2025 State of Marketing AI Report, and OpenAI Codex](https://www.marketingaiinstitute.com/hubfs/ep%20148%20cover%20%281%29.png)
![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
![[DEALS] Babbel Language Learning: Lifetime Subscription (All Languages) (71% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
![Borderlands 4 Boss Says 'A Real Fan' Will Pay $80 For Games [Update]](https://i.kinja-img.com/image/upload/c_fill,h_675,pg_1,q_80,w_1200/086e4654c281e40d12b833591d2c6fdc.jpg)
_Constantine_Soutiaguin-Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Nomad levels up its best-selling charger with new 100W slim adapter [Hands-on]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/05/100w-FI.jpg.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Google just showed off Android Auto’s upcoming light theme [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/05/android-auto-light-theme-documentation-2.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Jony Ive and OpenAI Working on AI Device With No Screen [Kuo]](https://www.iclarified.com/images/news/97401/97401/97401-640.jpg)
![Anthropic Unveils Claude 4 Models That Could Power Apple Xcode AI Assistant [Video]](https://www.iclarified.com/images/news/97407/97407/97407-640.jpg)
![Apple Leads Global Wireless Earbuds Market in Q1 2025 [Chart]](https://www.iclarified.com/images/news/97394/97394/97394-640.jpg)
UAT-638 Hackers Exploit Cityworks Zero-Day to Attack IIS Servers With VSHell Malware
A sophisticated cyber threat group designated as UAT-6382 has been actively exploiting a critical zero-day vulnerability in Cityworks, a popular asset management system used by local governments across the United States. The vulnerability, tracked as CVE-2025-0994, allows remote code execution and has been under active exploitation since January 2025. The attackers have demonstrated a particular […] The post UAT-638 Hackers Exploit Cityworks Zero-Day to Attack IIS Servers With VSHell Malware appeared first on Cyber Security News.
A sophisticated cyber threat group designated as UAT-6382 has been actively exploiting a critical zero-day vulnerability in Cityworks, a popular asset management system used by local governments across the United States.
The vulnerability, tracked as CVE-2025-0994, allows remote code execution and has been under active exploitation since January 2025.
The attackers have demonstrated a particular interest in systems related to utilities management, raising concerns about potential disruption to critical infrastructure.
The exploit targets the Cityworks application running on Microsoft Internet Information Services (IIS) servers, giving attackers an initial foothold into government networks.
Once inside, the threat actors rapidly deploy a variety of web shells and custom malware to maintain persistent access.
The intrusions have primarily affected local governing bodies in the United States, with attackers quickly pivoting to systems containing sensitive infrastructure data.
Cisco Talos researchers identified this campaign and have attributed it with high confidence to Chinese-speaking threat actors based on the tools, tactics, and procedures observed.
The researchers noted that many of the deployed web shells contained messages written in Chinese, and the custom malware utilized a builder framework called “MaLoader,” which features a user interface written entirely in Simplified Chinese.
The attack chain begins with exploitation of the Cityworks vulnerability, followed by basic reconnaissance commands to identify server characteristics.
Within minutes, attackers deploy web shells including variants of AntSword and Chopper, allowing them to maintain backdoor access and stage files for exfiltration.
TetraLoader: The Rust-Based Delivery Mechanism
The most distinctive aspect of this campaign is the deployment of a Rust-based loader dubbed “TetraLoader.” This loader serves as the delivery mechanism for more sophisticated payloads including Cobalt Strike beacons and VSHell malware.
TetraLoader is built using a relatively new malware builder framework called “MaLoader” that first appeared on GitHub in December 2024.
.webp)
TetraLoader functions by decoding an embedded payload and injecting it into legitimate processes like notepad.exe.
The following code snippet illustrates how the VSHell stager processes incoming commands:-
loc_7FF6072D6411:
xor r8d, r8d
test eax, eax
jz short loc_7FF6072D6428
loc_7FF6072D6418:
lea ecx, [r8+rsi]
add r8d, r14d
xor byte ptr [rcx+rdi], 99h
cmp r8d, eax
jb short loc_7FF6072D6418The VSHell malware itself is written in GoLang and provides comprehensive remote access capabilities including file management, command execution, screenshot capture, and network proxying functionality.
Its command and control interface, while offering limited English language support, predominantly uses Chinese, further supporting attribution to Chinese-speaking operators.
Equip your SOC team with deep threat analysis for faster response -> Get Extra
