The hackers transformed trusted ArcGIS components into covert backdoors, marking a rare case where a legitimate Java Server Object Extension (SOE) was repurposed into a malicious web shell.
The unusual nature of the attack pushed the software vendor to update its documentation, an exceptional event in modern cyber defense.
The attackers began by compromising a portal administrator account on a public-facing ArcGIS instance connected to a private backend server.
They injected malicious code into the ArcGIS SOE, effectively enabling the server to execute attacker-supplied commands. Each request was gated by a hardcoded key, ensuring exclusive control, and disguised under normal web traffic parameters like “layer.”
Decoded payloads, such as “cmd.exe /c mkdir C:WindowsSystem32Bridge”, created hidden system directories for staging. Five encoded requests later, the threat actors executed discovery commands (“whoami”) and lateral network scans over SMB, RPC, and SSH.
By adhering to expected application processes, Flax Typhoon evaded behavioral detection, seamlessly merging with legitimate operations.
Once initial control was secured, the attackers deployed a renamed SoftEther VPN executable called “bridge.exe” in the Windows System32 directory. They registered it as a persistent service named SysBridge, configured to auto-launch on reboot.
This stealth technique blended malicious behavior with trusted Windows activity while granting full administrative privileges.
Outbound HTTPS connections from the VPN bridge established command-and-control links to attacker-controlled SoftEther servers hosted at subdomains like “company05.softether.net.”
The VPN bridge allowed the adversaries to tunnel directly into internal systems, effectively masking their lateral movement and data exfiltration from standard security monitoring tools.
To ensure long-term reentry, the compromised SOE was embedded in periodic system backups, turning the recovery process into a reinfection route and thereby achieving operational persistence for over twelve months.
ReliaQuest attributes this operation to Flax Typhoon (aka Ethereal Panda), a Chinese espionage group active since at least 2021, known for stealth, precision, and strategic persistence.
This campaign reinforces a growing security concern: attackers increasingly weaponize legitimate software instead of deploying recognized malware.
Experts recommend treating all public-facing applications as critical assets regardless of reputation, enforcing multi-factor authentication, and replacing IOC-based detection with behavior-driven analytics.
The lesson is stark trusted software can no longer be assumed safe, and organizations must hunt for anomalous activity within legitimate components before adversaries convert everyday tools into long-term espionage platforms.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Chinese Hackers Maintain Year-Long Persistence Using Geo-Mapping Techniques appeared first on Cyber Security News.
As a kid, I went door to door collecting cans to earn some pocket change.…
Today, I’m talking with Zillow CEO Jeremy Wacksman. Zillow is one of those apps that…
A large-scale reconnaissance campaign is actively targeting SonicWall firewalls across the internet, with attackers using…
A newly identified botnet trojan campaign, dubbed OCRFix, has been discovered combining social engineering tricks…
This article originally appeared on Inside Climate News, a nonprofit, non-partisan news organization that covers…
Nintendo has announced a new Indie World Showcase, set to take place tomorrow, March 3.…
This website uses cookies.