China-Backed Flax Typhoon APT Maintained Year-Long Access by Turning ArcGIS SOE into Web Shell Backdoor
Ddos 
A newly released report from ReliaQuest reveals how the China-backed advanced persistent threat (APT) group βFlax Typhoonβ maintained year-long access to an organizationβs ArcGIS system by turning legitimate enterprise software into a persistent backdoor.
The report describes a unique supply-chain-adjacent attack that forced the software vendor to update its documentation β a rare move that underscores the gravity of the intrusion.
βThe China-backed advanced persistent threat (APT) group βFlax Typhoonβ maintained year-long access to an ArcGIS system by turning trusted software into a persistent backdoorβan attack so unique it prompted the vendor to update its documentation,β ReliaQuest wrote in its analysis.
According to the report, the attackers repurposed a legitimate Java Server Object Extension (SOE) from ArcGIS into a covert web shell. This web shell, protected by a hardcoded access key, was embedded within system backups, ensuring persistence even after full system recovery.
βThe attackers repurposed a legitimate Java server object extension (SOE) into a web shell, gated access with a hardcoded key, and embedded it in backups to evade detection and maintain persistence,β ReliaQuest explained.
By doing so, Flax Typhoon effectively weaponized a trusted software component, allowing their operations to blend in with normal system traffic. βThis attack truly stands out for its sheer ingenuity preying on a common security blind spot: the inherent trust placed in legitimate software components,β the researchers noted.
Flax Typhoonβs operation highlights a new trend: attackers abusing legitimate enterprise tools for stealth and endurance rather than relying on traditional malware.
βInstead of using a known malicious tool, the attackers opted to repurpose a legitimate ArcGIS SOE into a covert web shell,β ReliaQuest wrote. βThis allowed their movements to cleverly appear as normal system operations, bypassing detection tools focused on known-bad artifacts.β
The groupβs persistence strategy was particularly insidious. By ensuring the backdoored SOE was included in the organizationβs backups, they guaranteed reinfection after recovery. As ReliaQuest warns, βThis tactic turns a safety net into a liability,β forcing defenders to re-evaluate the trustworthiness of their own backup strategies.
ReliaQuest attributed the intrusion to a compromised ArcGIS portal administrator account, which allowed the attackers to deploy their malicious SOE.
Once inside, the attackers executed base64-encoded commands disguised as legitimate ArcGIS traffic, establishing persistence and lateral movement across the network.
βWorking with ArcGIS, we found the attackers compromised a portal administrator account and deployed a malicious SOEβ¦ executing base64-encoded (disguised) commands to the portal server, consistent with this proxying model,β ReliaQuest detailed.
The attackers also created hidden system directories, launched PowerShell commands through the ArcGIS API, and eventually deployed a renamed SoftEther VPN executable (bridge.exe) inside the System32 directory for long-term access.
This binary established HTTPS connections to an attacker-controlled server, forming a covert VPN bridge between the victimβs internal network and the threat actorβs infrastructure.
βThis VPN bridge allows the attackers to extend the targetβs local network to a remote location, making it appear as if the attacker is part of the internal network,β the report explained.
After securing a foothold, Flax Typhoon moved deeper into the network, targeting IT administrator workstations and attempting to dump Windows SAM and LSA secrets for credential access.
βThe attackers targeted two workstations belonging to IT personnelβ¦ attempting to enable RemoteRegistry to dump the Security Account Manager (SAM) database and LSA secrets,β ReliaQuest reported.
A file named pass.txt.lnk found during the investigation indicated active credential harvesting aimed at compromising Active Directory and expanding control across additional systems.
ReliaQuest attributes the operation to Flax Typhoon (also known as Ethereal Panda) β a long-running Chinese APT known for multi-month persistence and targeting critical infrastructure.
βMaintaining long-term, persistent accessβoften for over 12 monthsβis a key characteristic of this APT group,β the researchers wrote, adding that activity typically βaligns with Chinese business hours (12AMβ6PM UTC).β
Active since at least 2021, Flax Typhoon favors VPN abuse, credential theft, and lateral movement to maintain hidden access for extended periods. ReliaQuest assesses it is βprobable (a 55β70% likelihood) that Flax Typhoon is already active in new networks or planning its next victim.β
Related Posts:
- Flax Typhoon Botnet Exploits 66 Vulnerabilities: A Global Threat to Critical Infrastructure
- US Treasury Sanctions Chinese Cybersecurity Firm for Supporting Cyberattacks on Critical Infrastructure
- Year-Long Supply Chain Attack: Malicious NPM Package Compromises Cryptocurrency Wallets
- Microsoft: China-Backed APTs Actively Exploiting SharePoint Flaws (CVE-2025-49704 & CVE-2025-49706)
- Critical CVSS 10.0 SQL Injection Vulnerability Patched in Esri ArcGIS Server
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
