Flax Typhoon APT exploited ArcGIS server for over a year as a backdoor
October 15, 2025
China-linked cyberespionage group Flax Typhoon hijacked an ArcGIS system for over a year and used it as a backdoor.
China-linked APT group Flax Typhoon (aka Ethereal Panda or RedJuliett) compromised an ArcGIS system for over a year, using it as a backdoor.
ArcGIS, a key GIS platform for mapping and analysis, supports vital services like disaster recovery and urban planning. A breach could expose infrastructure data, disrupt operations, and enable lateral movement into enterprise or OT networks.
ReliaQuest and U.S. officials attribute the campaign to Integrity Technology Group, a Beijing-based, publicly traded company tied to state-sponsored cyber activity.
“The group cleverly modified a geo-mapping application’s Java server object extension (SOE) into a functioning web shell. By gating access with a hardcoded key for exclusive control and embedding it in system backups, they achieved deep, long-term persistence that could survive a full system recovery.” reads the report published by ReliaQuest.
“This quiet foothold was all they needed for “hands-on-keyboard activity,” enabling malicious command execution, lateral movement, and credential harvesting across multiple hosts. “
Researchers couldn’t determine exactly how the attackers first got in because of the lack of older data, so they focused on what happened afterward. The threat actors had turned a legitimate ArcGIS Server extension (SOE) into a web shell, giving them remote control of the system. They did this after stealing a portal administrator account and abusing a public-facing ArcGIS server that connected to an internal one, a common setup.
Using encoded commands hidden in normal web traffic, they ordered the server to create a secret folder called “Bridge” inside the Windows system directory and used it as their workspace. They then ran PowerShell commands through the same channel to stay hidden among normal activity.
Once inside, the attackers checked what permissions they had and discovered they had admin rights. Then, threat actors scanned the internal network over several protocols to map it and find valuable systems.
To maintain long-term access, attackers uploaded a renamed VPN program (“bridge.exe”) into the system folder, created a fake Windows service called “SysBridge”, and set it to start automatically. This allowed them to reconnect even after restarts or security updates.
Because the malicious SOE was also backed up, the attackers could later return through the same hidden door, even after cleanup efforts.
Flax Typhoon used a fake VPN tool (“bridge.exe”) to create an encrypted tunnel from the victim’s system to their own server. This connection, running with system privileges, let them act as if they were inside the victim’s network, bypassing monitoring and enabling data theft and further access.
Attackers used scan results to target two IT workstations and tried to enable RemoteRegistry to dump SAM, security keys, and LSA secrets. They left a pass.txt.lnk file, indicating active credential collection to move laterally through Active Directory and compromise more systems.
“When attackers leverage your own systems to hide, it’s time to step up your defenses. This attack highlights not just the creativity and sophistication of attackers but also the danger of trusted system functionality being weaponized to evade traditional detection. It’s not just about spotting malicious activity; it’s about recognizing how legitimate tools and processes can be manipulated and turned against you.” concludes the report. “This attack proves the defensive mindset must shift. The new frontline isn’t just the network firewall; it’s every single public-facing application—especially overlooked tools like ArcGIS—must be treated as high-risk assets. This means moving beyond traditional IOC-based detection to find what’s hiding in plain sight and auditing these systems to eliminate the blind spots attackers rely on. “
The Flax Typhoon group has been active since mid-2021, it focuses on government agencies and education, critical manufacturing, and information technology organizations in Taiwan.
Flax Typhoon was observed using the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther virtual private network (VPN) client. The group primarily relies on living-off-the-land techniques and hands-on-keyboard activity.
The APT’s attack chain commences by exploiting known vulnerabilities in public-facing servers and deploying web shells like China Chopper. Upon gaining initial access to the target networks, Flax Typhoon uses command-line tools to first establish persistent access over the remote desktop protocol, then establish a VPN connection to C2 infrastructure, and finally collect credentials from compromised systems. The state sponsored hackers also uses the VPN access to scan for vulnerabilities in targeted organizations.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Flax Typhoon)
