China-Backed Flax Typhoon APT Maintained Year-Long Access by Turning ArcGIS SOE into Web Shell Backdoor
For more than a year, a Chinese hacking group had been covertly exploiting an ArcGIS server as a clandestine access channel, transforming it into a resilient point of persistence. The campaign, uncovered by ReliaQuest analysts, has been attributed to the threat group Flax Typhoon, also known as Ethereal Panda and RedJuliett. According to U.S. authorities, the operation traces back to Integrity Technology Group, a publicly listed company based in Beijing.
At the core of the operation was the unauthorized modification of a Server Object Extension (SOE) within the ArcGIS geoinformation platform. This legitimate Java-based component was repurposed into a fully functional web shell, secured with an embedded access key to restrict entry. To ensure persistence, the malicious code was also implanted into system backups—allowing attackers to maintain access even after full system restoration.
Flax Typhoon is known for its stealth-oriented tactics, favoring low-visibility persistence within victim infrastructures. The group relies heavily on Living off the Land (LotL) techniques and direct command-line interaction, repurposing legitimate software components for malicious objectives. In this case, the attackers managed to seamlessly blend into normal server traffic, evading detection by standard monitoring tools.
The intrusion began with the compromise of an ArcGIS portal administrator account. From there, the attackers deployed a malicious extension named JavaSimpleRESTSOE, which enabled command execution on internal servers via an externally accessible REST interface. A hardcoded encryption key protected the web shell from unauthorized interference—and even from accidental discovery by system administrators.
Once embedded, the shell was used for internal reconnaissance and establishing a persistent communication channel. To achieve this, the attackers uploaded a renamed executable copy of SoftEther VPN, disguised as bridge.exe, and placed it within the System32 directory. They then created a service called SysBridge, ensuring the file executed automatically at system startup.
The bridge.exe process initiated outbound HTTPS connections to an IP address controlled by the attackers over port 443, effectively creating a covert VPN tunnel. This allowed the intruders to access the target network as if it were their own, bypassing routing-level filters and monitoring systems.
The hackers also targeted IT staff workstations to harvest credentials and deepen their foothold within the infrastructure. Analysis revealed that the attackers had already gained access to an administrative account and successfully reset its password.
According to ReliaQuest experts, this incident underscores the grave risk of trusted system components being repurposed as tools of exploitation. The key challenge in such cases lies not only in detecting suspicious activity but also in recognizing how legitimate functionality can be transformed into a weapon of intrusion.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
