Threat actors with ties to China compromised a public-facing ArcGIS system and used it as a persistent backdoor for more than a year, a cybersecurity company reported. ReliaQuest said the activity is linked to a state-sponsored group known as Flax Typhoon; the company’s report was provided to the publication.
ReliaQuest said the attackers modified a Java server object extension, or SOE, inside the mapping application into a working web shell. The firm reported the SOE was gated by a hard-coded key and embedded inside system backups, which the company said allowed the intrusion to survive full system recovery.
According to the reported analysis, the adversary obtained access to a portal administrator account and used a standard ArcGIS extension called JavaSimpleRESTSOE to invoke REST operations that executed commands on internal systems through the public portal. The company said the hard-coded key prevented others, including administrators, from easily tampering with the backdoor.
The web shell was used for network discovery and to establish persistence, the report said. The attackers uploaded a renamed SoftEther VPN executable as “bridge.exe” into the System32 folder and created a service called SysBridge to start the binary on reboot; ReliaQuest said the process makes outbound HTTPS connections on port 443 to an attacker-controlled address to set up a covert VPN channel. Researchers Alexa Feminella and James Xiang explained that the VPN bridge allowed the attackers to extend the target’s local network to a remote host, facilitating lateral movement and data exfiltration.
ReliaQuest’s findings said the intruders specifically targeted two IT workstations to harvest credentials and further penetrate the network, and that the adversary gained access to an administrative account and was able to reset its password. The company noted that the group frequently uses living-off-the-land techniques and hands-on keyboard activity to blend malicious actions with legitimate software behavior.
ReliaQuest and the researchers characterized the campaign as an example of how trusted system functionality can be weaponized to evade detection and maintain long-term access.