Chinese hackers exploited ArcGIS component to hide in target network for over a year

A Chinese state-backed hacking group exploited a little-known feature in a widely used mapping software to stay hidden inside a target organization’s network for more than a year, according to cybersecurity firm ReliaQuest.

The researchers believe with moderate confidence that a threat actor known as Flax Typhoon is behind the operation. As part of the intrusion, the attackers turned a legitimate component of the ArcGIS geographic information system (GIS) into a covert web shell. ArcGIS, developed by Esri, is used globally by governments, utilities, and infrastructure operators to manage and visualize geographic data.

Flax Typhoon is known for espionage-focused campaigns targeting critical infrastructure and using legitimate tools (“living off the land”). While the group has previously used such tactics, it is the first time when the threat actor has been observed weaponizing ArcGIS's SOE feature.

The attackers gained initial access using valid administrator credentials on a public-facing ArcGIS server, which was linked to an internal GIS system. From there, they uploaded a malicious Java Server Object Extension (SOE), a plug-in feature meant to enhance ArcGIS functionality. This modified SOE accepted base64-encoded commands via the ArcGIS REST API, allowing attackers to execute actions that appeared as routine operations.

The web shell itself was protected by a hardcoded secret key. The attackers then used it to deploy SoftEther VPN Bridge, registering it as a persistent Windows service. This VPN tunneled outbound HTTPS traffic to an external server, creating an encrypted link into the victim's internal network even if the malicious SOE was discovered and removed.

This allowed the hackers to move laterally, dump credentials, and exfiltrate data without further use of the compromised SOE. ReliaQuest noted attempts to access IT staff workstations and extract sensitive registry data, including the Security Account Manager (SAM) database and LSA secrets. The researchers have also observed a file named ‘pass.txt.lnk’ likely tied to credential harvesting for deeper access into the Active Directory (AD) environment.


Back to the list

Latest Posts

Thousands of domains target hotel guests in massive phishing campaign

The campaign employs a phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path.
12 November 2025

Hackers exploit Citrix and Cisco zero-days to deploy custom malware

Attackers leveraged the Cisco flaw to gain pre-authentication admin access and installed a custom web shell called “IdentityAuditAction,” masquerading as a legitimate ISE component.
12 November 2025

Russian hacker to plead guilty for role in Yanluowang ransomware attacks

Volkov acted as an initial access broker for the Yanluowang ransomware group breaking into company networks and selling access to other hackers.
12 November 2025
Popular Posts
Featured vulnerabilities
Remote denial of service in Palo Alto PAN-OS
Medium Patched | 12 Nov, 2025
Multiple vulnerabilities in Prisma Access Browser
High Patched | 12 Nov, 2025
Multiple vulnerabilities in OpenPrinting libcupsfilters and cups-filters
High Patched | 12 Nov, 2025
Denial of service in Raptor RDF Syntax library
Low Not Patched | 12 Nov, 2025
Multiple vulnerabilities in Google ChromeOS
High Patched | 12 Nov, 2025