A Chinese-speaking threat entity identified as UAT-6382 has been associated with the utilization of a recently patched remote-code-execution weakness in Trimble Cityworks to distribute Cobalt Strike and VShell.
“UAT-6382 effectively leveraged CVE-2025-0944, engaged in reconnaissance activities, and quickly launched an assortment of web shells and tailor-made malware to ensure sustained access,” stated Cisco Talos researchers.