8 malware familiesExploits CVEs in the wild

UAT-6382

Also known asUAT-6382

UAT-6382 is a threat activity cluster tracked by Cisco Talos. Talos assesses with high confidence that it is operated by Chinese-speaking threat actors. The cluster is associated with active exploitation of CVE-2025-0994, a remote code execution vulnerability in Trimble Cityworks, with observed intrusions beginning in January 2025 against enterprise networks of local governing bodies in the United States. Talos also observed interest in pivoting toward systems related to utilities management. Post-compromise activity included rapid deployment of IIS web shells and file uploaders, including AntSword, Chopper/chinatso, Behinder, and generic uploaders, with Chinese-language messaging in the tooling. Observed hands-on-keyboard activity included reconnaissance and directory enumeration using commands such as ipconfig, pwd, dir, and tasklist, as well as staging backup archives into web-accessible upload directories for exfiltration. UAT-6382 used a Rust-based loader tracked as TetraLoader, built with the Chinese-language MaLoader framework, to inject payloads into benign processes such as notepad.exe. Talos observed TetraLoader deploying both Cobalt Strike beacons and a VShell stager. The VShell stager, SNOWLIGHT, was used by UAT-6382 to deliver the GoLang-based VShell remote access trojan, which supports file management, arbitrary command execution, screenshots, and NPS-based proxying. Talos noted that SNOWLIGHT has also been used by UNC5174, UNC6586, UAT-8302, and UAT-6382. Talos further observed that SNOWLIGHT used by UAT-8302 shared the same single-byte XOR key and stager behavior seen in UAT-6382 activity. Known alias in the provided content is UAT-6382.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration
Utilities

Where they target

Geographies tied to known operations.

🇺🇸 United States

MITRE ATT&CK

Tradecraft

12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics15 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1190×2

Exploit Public-Facing Application

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.001

PowerShell

T1059.003

Windows Command Shell

T1203

Exploitation for Client Execution

TA0003

Persistence

1 technique

T1505

Server Software Component

T1505.003×2

Web Shell

TA0004

Privilege Escalation

1 technique

T1055

Process Injection

TA0005

Stealth

1 technique

T1055

Process Injection

TA0007

Discovery

2 techniques

T1082

System Information Discovery

T1083

File and Directory Discovery

TA0009

Collection

1 technique

T1560

Archive Collected Data

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1105×2

Ingress Tool Transfer

T1219

Remote Access Tools

ARSENAL

Associated malware families

8 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

VShellTalos has so far found two types of payloads deployed by TetraLoader on the infected endpoints: ... VShell stager ... The payload received by the VShell stager is in fact the actual VShell implant. VShell is a GoLang-based implant that talks to its C2 and provides a wide variety of remote access trojan-based functionalities.4Jun 14, 2026

Cobalt StrikeTalos has so far found two types of payloads deployed by TetraLoader on the infected endpoints: Cobalt Strike beacons.2Jun 14, 2026

SNOWLIGHTSNOWLIGHT, a VShell stager used by UNC5174, UNC6586, and UAT-6382.2May 5, 2026

AntSwordPost-compromise activity involves the rapid deployment of web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers.1Jun 14, 2026

BEHINDERThese web shells consisted of multiple variations of AntSword, chinatso and Behinder along with additional generic file uploaders containing messages written in the Chinese language.1Jun 14, 2026

3 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2025-0944SQL Injection in itsourcecode Tailoring Management System 1.0 customerview.phpIn the wildEvidence2

Talos has found intrusions in enterprise networks of local governing bodies in the United States (U.S.), beginning January 2025 when initial exploitation first took place. UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access.

CVE-2025-0994Remote Code Execution in Trimble Cityworks DeserializationIn the wildEvidence2

Cisco Talos has observed exploitation of CVE-2025-0994, a remote-code-execution vulnerability in Cityworks, a popular asset management system. The Cybersecurity and Infrastructure Security Agency (CISA) and Trimble have both released advisories pertaining to this vulnerability...

IOCS

Observables

19 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

19 IOCsView more in app

uri

8 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

hash.sha256

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

Domains

4 total

••••••.com•••••••.ru••••••••.com•••••••••.net

hash.md5

1 total

••••••••

ip.v4

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

the hacker newsNews

May 5, 2026

China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions

Threat cluster associated with use of the SNOWLIGHT VShell stager.

talos intelligence blogNews

May 5, 2026

UAT-8302 and its box full of malware

Threat cluster observed exploiting a Cityworks zero-day to deploy VSHELL using the SNOWLIGHT stager.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Chinese-speaking intrusion cluster exploiting Trimble Cityworks CVE-2025-0944 to deploy web shells/custom malware and post-exploitation tooling (Cobalt Strike, VShell) for long-term access.

talosintelligence otherNews

May 22, 2025

UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware

Exploitation of Cityworks to compromise U.S. local government enterprise networks, followed by rapid web shell deployment, reconnaissance, persistence, and pivoting toward utilities-related systems.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping12

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal8

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables19

Domains, IPs, and hashes tied to this actor, refreshed continuously.