For more than a year, Chinese-linked attackers are believed to be behind a new campaign to compromise ArcGIS systems and turn them into backdoors.
According to ReliaQuest, this activity is attributed to a Chinese state-sponsored hacking group. flax typhoonalso tracked as Ethereal Panda and RedJuliett. According to the U.S. government, the company is valued at a publicly traded Beijing-based company known as Integrity Technology Group.
“The group cleverly modified a Java Server Object Extension (SOE) for a geographic mapping application into a functioning web shell,” the cybersecurity firm said in a report shared with The Hacker News. “By gating access using a hard-coded key for exclusive control and embedding it in system backups, we achieved strong long-term persistence that survives a complete system recovery.”
Flax Typhoon is known for practicing “stealth” in its trade by incorporating extensive LotL (Living Off-The Land) techniques and practical keyboarding. This allows the software component to become a vehicle for malicious attacks while simultaneously evading detection.
This attack demonstrates how attackers are increasingly exploiting trusted tools and services to circumvent security measures and gain unauthorized access to victim systems while blending in with regular server traffic.
An “unusually sophisticated attack chain” involved attackers targeting publicly available ArcGIS servers by compromising portal administrator accounts and deploying malicious SOEs.
“The attacker used a standard (JavaSimpleRESTSOE) ArcGIS extension to activate a malicious SOE and invoke REST operations to execute commands on internal servers via a public portal. This made it difficult to identify the attacker’s activities,” ReliaQuest said. “By adding hard-coded keys, Flax Typhoon prevented other attackers or curious administrators from tampering with access.”
The “web shell” was allegedly used to create a service named “SysBridge” that performs network discovery operations, uploads a renamed SoftEther VPN executable (“bridge.exe”) to the “System32” folder to establish persistence, and automatically starts the binary whenever the server is restarted.
The ‘bridge.exe’ process was found to establish an outbound HTTPS connection to an attacker-controlled IP address on port 443, with the primary purpose of setting up a covert VPN channel to an external server.
“This VPN bridge allows an attacker to extend a target’s local network to a remote location, making it appear as if the attacker is part of the internal network,” researchers Alexa Feminella and James Xiang explained. “This allowed them to bypass network-level monitoring and act like a backdoor allowing for additional lateral movement and theft.”
The attackers are said to have specifically targeted two workstations belonging to IT personnel in order to obtain credentials and further infiltrate the network. Further investigation revealed that the attacker was able to access the administrator account and reset the password.
“This attack highlights not only the creativity and sophistication of attackers, but also the risk that trusted system functionality can be weaponized to evade traditional detection,” the researchers said. “It’s not just about spotting malicious activity, it’s about being aware of how legitimate tools and processes can be manipulated and turned against them.”
