Chinese-Speaking Hackers Breach U.S. Local Governments via Critical Infrastructure Software Flaw

Chinese-speaking threat actors are exploiting a flaw in widely used U.S. municipal infrastructure software to gain long-term access to local government systems, according to new findings from Cisco Talos.

The vulnerability — tracked as CVE-2025-0994 — affects Trimble Cityworks, a platform used by city and county governments to manage assets like water systems, utilities, roads, and public works. Despite warnings issued in February by both Trimble and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the bug continues to be actively exploited.

Cisco Talos confirmed that since at least January, attackers have used the flaw to infiltrate systems, deploy Chinese-language malware, and establish persistent access. “We’ve observed reconnaissance followed by rapid deployment of web shells and custom malware designed for long-term exploitation,” the researchers said.

Some of the malware used was created using MaLoader, a tool written in Simplified Chinese, and required knowledge of the language to configure and operate — reinforcing Talos’ high-confidence assessment that the campaign is being run by Chinese-speaking actors.

After initial access, the intruders focused on utilities-related systems, targeting sensitive directories and preparing data for exfiltration. The scope of the campaign remains unclear, but Cityworks is used by hundreds of local and federal agencies nationwide — from airports and water systems to permit offices.

To contain the threat, federal authorities mandated that all government systems using the vulnerable software be updated no later than February 28, setting a firm deadline for patch deployment across agencies.

CISA confirmed it is working with Trimble and Symantec’s Threat Hunter team to track the threat and update its guidance.