| SYMBOL | COMMON_NAME | aka. SYNONYMS |
UAT-6382 is a Chinese-speaking threat actor that exploits CVE-2025-0944 to gain access to enterprise networks, particularly targeting local governing bodies in the U.S. They deploy web shells like AntSword and chinatso/Chopper on IIS web servers and utilize Rust-based loaders to implement Cobalt Strike and VSHell for persistent access. UAT-6382 employs custom tooling, such as TetraLoader, and conducts reconnaissance to identify and exfiltrate files of interest. Their VShell stager connects to a hardcoded C2 server and executes payloads in memory, indicating modifications made by the actor.
There are currently no families associated with this actor.
| 2025-05-22
⋅
Cisco Talos
⋅
UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware Tetra Loader UAT-6382 |