State-backed hackers turn trusted ArcGIS software into a hidden espionage tool

A Chinese state-linked hacking group has been exploiting vulnerabilities in ArcGIS Server systems to create hidden backdoors and maintain access for more than a year, researchers at ReliaQuest have revealed.

 

The campaign, attributed to Flax Typhoon (also known as Ethereal Panda or RedJuliett), shows how attackers are increasingly subverting trusted enterprise software to remain undetected.

 

Investigators found that the group modified a legitimate Java Server Object Extension (SOE) within ArcGIS, turning it into a covert web shell protected by a hardcoded key. The malicious component was even embedded into system backups, allowing it to survive restoration attempts. Through the platform’s REST API, the attackers could trigger commands that appeared to be ordinary network traffic.

 

Once inside, they deployed a renamed version of SoftEther VPN, disguised as “bridge.exe” and installed as a Windows service, to create encrypted tunnels linking the victim’s internal network with attacker-controlled infrastructure. The hackers also targeted IT staff to steal credentials, escalate privileges, and expand their control across affected systems.

 

Flax Typhoon’s approach is notable not for exploiting new vulnerabilities, but for abusing the normal features of a widely used system. By compromising ArcGIS, software central to many public and private sector operations, the attackers achieved persistence and legitimacy.

 

The use of HTTPS-based VPN connections further masked their activity, helping them remain undetected for over a year.

 

Security experts warn that the incident underscores the risks of implicit trust in core business platforms. Organisations using ArcGIS are advised to review any modified SOE components, validate backups, and monitor for unusual API activity or unknown Windows services.

 

The case highlights a broader shift in state-backed cyber espionage: away from zero-day exploits and towards quiet infiltration through the very systems organisations depend on.