All news with #arcgis tag
Wed, October 15, 2025
Flax Typhoon Abused ArcGIS SOE to Maintain Long-Term Access
🔒 Researchers at ReliaQuest found China-linked APT Flax Typhoon modified an ArcGIS Server Object Extension (SOE) into a persistent web shell that executed base64-encoded commands via standard ArcGIS operations. The actor used a hardcoded key, staged tools in a hidden C:\Windows\System32\Bridge directory, and renamed a SoftEther VPN binary to bridge.exe to maintain covert connectivity. The malicious SOE was replicated into backups and golden images, allowing access to survive system recovery while attackers performed discovery, credential harvesting, lateral movement, and covert VPN-based persistence.
Tue, October 14, 2025
Chinese APT Abuses ArcGIS SOE for Year-Long Persistence
🔒 Researchers say a Chinese state-linked actor, likely Flax Typhoon, exploited a component of the ArcGIS geo-mapping platform to maintain undetected access for over a year. Using valid admin credentials, the attackers uploaded a malicious Java SOE that acted as a web shell, accepting base64-encoded commands via a REST parameter protected by a hardcoded secret. They then installed SoftEther VPN as a Windows service to create an outbound HTTPS tunnel to 172.86.113[.]142 on port 443, enabling persistent lateral movement and credential harvesting even if the SOE were removed.
Tue, October 14, 2025
Chinese APT Abuses ArcGIS Component to Maintain Backdoor
🔐 ReliaQuest linked the campaign to the Flax Typhoon APT, which converted a legitimate public-facing ArcGIS Java server object extension (SOE) into a stealthy web shell. The group activated the SOE through a standard ArcGIS REST extension, embedding a base64-encoded payload and a hardcoded key to trigger command execution while hiding activity behind normal portal operations. Attackers uploaded a renamed SoftEther VPN binary to preserve access and targeted IT workstations, and the SOE was later found in backups, enabling persistence after remediation. ReliaQuest warns organisations to go beyond IOC detection, proactively hunt for anomalous behaviour in trusted tools, and treat every public-facing application as a high-risk asset.