China-Backed Flax Typhoon APT Maintained Year-Long Access by Turning ArcGIS SOE into Web Shell Backdoor

A newly released report from ReliaQuest reveals how the China-backed advanced persistent threat (APT) group “Flax Typhoon” maintained year-long access to an organization’s ArcGIS system by turning legitimate enterprise software into a persistent backdoor.

The report describes a unique supply-chain-adjacent attack that forced the software vendor to update its documentation — a rare move that underscores the gravity of the intrusion.

“The China-backed advanced persistent threat (APT) group ‘Flax Typhoon’ maintained year-long access to an ArcGIS system by turning trusted software into a persistent backdoor—an attack so unique it prompted the vendor to update its documentation,” ReliaQuest wrote in its analysis.

According to the report, the attackers repurposed a legitimate Java Server Object Extension (SOE) from ArcGIS into a covert web shell. This web shell, protected by a hardcoded access key, was embedded within system backups, ensuring persistence even after full system recovery.

“The attackers repurposed a legitimate Java server object extension (SOE) into a web shell, gated access with a hardcoded key, and embedded it in backups to evade detection and maintain persistence,” ReliaQuest explained.

By doing so, Flax Typhoon effectively weaponized a trusted software component, allowing their operations to blend in with normal system traffic. “This attack truly stands out for its sheer ingenuity preying on a common security blind spot: the inherent trust placed in legitimate software components,” the researchers noted.

Flax Typhoon’s operation highlights a new trend: attackers abusing legitimate enterprise tools for stealth and endurance rather than relying on traditional malware.

“Instead of using a known malicious tool, the attackers opted to repurpose a legitimate ArcGIS SOE into a covert web shell,” ReliaQuest wrote. “This allowed their movements to cleverly appear as normal system operations, bypassing detection tools focused on known-bad artifacts.”

The group’s persistence strategy was particularly insidious. By ensuring the backdoored SOE was included in the organization’s backups, they guaranteed reinfection after recovery. As ReliaQuest warns, “This tactic turns a safety net into a liability,” forcing defenders to re-evaluate the trustworthiness of their own backup strategies.

ReliaQuest attributed the intrusion to a compromised ArcGIS portal administrator account, which allowed the attackers to deploy their malicious SOE.

Once inside, the attackers executed base64-encoded commands disguised as legitimate ArcGIS traffic, establishing persistence and lateral movement across the network.

“Working with ArcGIS, we found the attackers compromised a portal administrator account and deployed a malicious SOE… executing base64-encoded (disguised) commands to the portal server, consistent with this proxying model,” ReliaQuest detailed.

The attackers also created hidden system directories, launched PowerShell commands through the ArcGIS API, and eventually deployed a renamed SoftEther VPN executable (bridge.exe) inside the System32 directory for long-term access.

This binary established HTTPS connections to an attacker-controlled server, forming a covert VPN bridge between the victim’s internal network and the threat actor’s infrastructure.

“This VPN bridge allows the attackers to extend the target’s local network to a remote location, making it appear as if the attacker is part of the internal network,” the report explained.

After securing a foothold, Flax Typhoon moved deeper into the network, targeting IT administrator workstations and attempting to dump Windows SAM and LSA secrets for credential access.

“The attackers targeted two workstations belonging to IT personnel… attempting to enable RemoteRegistry to dump the Security Account Manager (SAM) database and LSA secrets,” ReliaQuest reported.

A file named pass.txt.lnk found during the investigation indicated active credential harvesting aimed at compromising Active Directory and expanding control across additional systems.

ReliaQuest attributes the operation to Flax Typhoon (also known as Ethereal Panda) — a long-running Chinese APT known for multi-month persistence and targeting critical infrastructure.

“Maintaining long-term, persistent access—often for over 12 months—is a key characteristic of this APT group,” the researchers wrote, adding that activity typically “aligns with Chinese business hours (12AM–6PM UTC).”

Active since at least 2021, Flax Typhoon favors VPN abuse, credential theft, and lateral movement to maintain hidden access for extended periods. ReliaQuest assesses it is “probable (a 55–70% likelihood) that Flax Typhoon is already active in new networks or planning its next victim.”

Related Posts:

• Flax Typhoon Botnet Exploits 66 Vulnerabilities: A Global Threat to Critical Infrastructure
• US Treasury Sanctions Chinese Cybersecurity Firm for Supporting Cyberattacks on Critical Infrastructure
• Year-Long Supply Chain Attack: Malicious NPM Package Compromises Cryptocurrency Wallets
• Microsoft: China-Backed APTs Actively Exploiting SharePoint Flaws (CVE-2025-49704 & CVE-2025-49706)
• Critical CVSS 10.0 SQL Injection Vulnerability Patched in Esri ArcGIS Server