Threat actors linked to China have been attributed to a sophisticated campaign that compromised an ArcGIS system and covertly used it as a backdoor for over a year.
According to ReliaQuest, the operation is the work of Flax Typhoon—also known as Ethereal Panda and RedJuliett—a Chinese state-sponsored hacking group believed to be associated with Beijing-based company Integrity Technology Group.
The attackers modified a geo-mapping application’s Java Server Object Extension (SOE) into a fully functional web shell, embedding it in system backups and protecting it with a hardcoded access key. This allowed persistent control even after full system recovery.
Flax Typhoon is known for its stealthy tactics, often leveraging living-off-the-land (LotL) techniques and hands-on keyboard activity to weaponize legitimate software components while avoiding detection.
In this campaign, the attackers compromised a public-facing ArcGIS Server by hijacking an administrator account to deploy a malicious SOE. Using a standard JavaSimpleRESTSOE extension, they invoked REST operations to execute commands through the public portal, effectively concealing their activity within normal traffic.
The web shell enabled the actors to conduct network reconnaissance and establish persistence by uploading a disguised SoftEther VPN executable (“bridge.exe”) to the System32 directory. A new service named “SysBridge” was created to ensure it launched automatically upon reboot.
Once active, bridge.exe connected to an attacker-controlled IP over HTTPS (port 443), creating a covert VPN bridge that made the attackers appear as part of the internal network. This stealthy channel allowed further lateral movement and data exfiltration while evading network-level monitoring.
ReliaQuest researchers Alexa Feminella and James Xiang noted that the attackers specifically targeted IT personnel workstations to harvest credentials and deepen access.
“This attack underscores not only the creativity and sophistication of modern adversaries,” the report concluded, “but also the growing risk of trusted system components being repurposed as attack vectors to evade traditional detection.”
