.png)
3 weeks ago
1
A Chinese state-backed cybergang known as Flax Typhoon spent more than a year burrowing inside an ArcGIS server, quietly turning the trusted mapping software into a covert backdoor.
Researchers at ReliaQuest say that the espionage outfit, which Microsoft tracks as a China-based state-sponsored actor, modified a legitimate ArcGIS server object extension (SOE) to act as a web shell, giving them long-term, near-invisible access. By exploiting ArcGIS’ extensibility features while avoiding traditional, signature-based malware, Flax Typhoon embedded itself so deeply that even restoring systems from backups simply reinstalled the implant.
ArcGIS is widely used in geospatial analytics, infrastructure planning, environmental monitoring, and more, so compromising it carries a serious risk. What makes this attack elegant, for the attackers at least, is that it used legitimate internal features of the software to hide in plain sight. The SOE component was modified to accept base64-encoded commands passed through REST API parameters, and the attackers secured their access with a hardcoded secret key, ensuring that only they could communicate with it.
Flax Typhoon leveraged valid credentials – reportedly a portal administrator account – to deploy the malicious extension. That allowed them to mask their activity as routine system operations, slipping under many defenders’ radar. When victim organizations attempted to recover by restoring from backups, they were effectively re-infecting themselves because the malicious SOE was baked into those backups.
“By ensuring the compromised component was included in system backups, they turned the organization's own recovery plan into a guaranteed method of reinfection,” ReliaQuest said. “This tactic turns a safety net into a liability, meaning incident response teams must now treat backups not as failsafe, but as a potential vector for reinfection.”
- FBI cyber cop: Salt Typhoon pwned 'nearly every American'
- Salt Typhoon used dozens of domains, going back five years. Did you visit one?
- Typhoon-adjacent Chinese crew broke into Taiwanese web host
- Typhoon-like gang slinging TLS certificate 'signed' by the Los Angeles Police Department
Once inside, the attackers used the malicious ArcGIS extension to maintain access and issue remote commands. ReliaQuest says that this allowed Flax Typhoon to perform typical post-compromise activity, including running commands, uploading and downloading files, and maintaining persistence – all while avoiding known, signature-based malware.
This is consistent with Flax Typhoon’s modus operandi, as observed by Microsoft earlier, which relies heavily on “living off the land” techniques, valid tools, and minimal custom malware to sustain stealthy persistence. It also highlights how attacker sophistication increasingly lies less in weaponization and more in subverting trust – turning the target’s own system into the attack vector.
This episode echoes other documented Flax Typhoon operations. In September 2024, the FBI publicly exposed a botnet run by the group and accused Beijing-based Integrity Technology Group of running it, tying that effort to broader intrusion campaigns. Meanwhile, US authorities have sanctioned Integrity Tech for its role in backing Flax Typhoon’s cyber intrusions.
These latest findings underline how even legitimate, widely used software can become a long-term espionage tool when misused. For defenders, it’s another reminder that persistence doesn’t always come from exotic malware – sometimes it’s hiding in the apps you trust most. ®
