When bad actors can weaponize trusted software so effectively that a vendor has to rewrite its own documentation, something fundamental has shifted.
That’s exactly what happened when the China-backed advanced persistent threat (APT) group known as Flax Typhoon, maintained year-long access to an ArcGIS server without deploying a single piece of traditional malware.
“This was the first documented case of a malicious SOE being used in this way,” ArcGIS said after working with ReliaQuest investigators. “It prompted updates to our internal documentation.”
Turning Trust into a Weapon
For more than twelve months, Flax Typhoon quietly controlled a customer’s ArcGIS environment by repurposing a legitimate Java Server Object Extension (SOE) into a covert web shell.
“The attackers didn’t need their own tools when they could corrupt yours,” ReliaQuest researchers said.
By gating access with a hardcoded key and embedding the component in system backups, they achieved persistence so deep it could “survive a full system recovery.”
Their control was complete. The backdoor enabled “hands-on-keyboard activity,” including malicious command execution, lateral movement, and credential harvesting across multiple hosts, all while blending perfectly with normal operations.
“A Wake-Up Call” for Defenders
ReliaQuest’s analysts called the attack “a wake-up call” for defenders who still assume that trusted software is safe by default. “When a vendor has to rewrite its own security guidelines, it proves the flawed belief that customers treat every public-facing tool as a high-risk asset.”
Instead of asking “Is this file malicious?”, the team urged organizations to ask “Is this application behaving as expected?”
Because the attackers repurposed an authentic SOE, every activity appeared legitimate. Security tools focused on known-bad signatures had nothing to flag. “If you lack visibility into the normal behavior of your applications, you are blind to this entire class of attack,” the researchers said.
Persistence Hiding in Backups
The most insidious twist came from the group’s persistence strategy.
By ensuring the compromised SOE was included in system backups, the attackers turned the organization’s recovery plan into a reinfection mechanism. “This tactic turns a safety net into a liability,” the report warned. “Incident response teams must now treat backups not as failsafe, but as a potential vector for reinfection.”
ReliaQuest attributed the intrusion with moderate confidence to Flax Typhoon, also known as “Ethereal Panda.”
The team cited several indicators: “The targeting profile, attack focus, and timing align with previous Flax Typhoon patterns. The group prioritizes persistence, lateral movement, and credential harvesting, often maintaining access for over 12 months.”
Flax Typhoon has been active since at least 2021, often operating during Chinese business hours. The group is known for its patience and precision, with long periods of dormancy followed by deliberate, high-impact attacks. ReliaQuest assesses “a 55–70% likelihood that Flax Typhoon is already active in new networks or planning its next victim.”
Inside the Attack
Working with ArcGIS engineers, investigators found the attackers had compromised a portal administrator account and deployed a modified SOE.
“They found a public-facing ArcGIS server connected to a private internal ArcGIS server,” the researchers explained. “This default configuration allowed the public portal to act as a proxy, forwarding commands to the internal system.”
The attackers executed base64-encoded commands through normal server traffic. A malicious GET request created a hidden system directory named Bridge, their private workspace.
“They then repeatedly abused the same web shell to run encoded PowerShell commands,” the report said, “all routed through the same legitimate extension.”
When the attackers discovered that the compromised service account had administrator rights, they began network reconnaissance, scanning via SSH, SMB, and RPC to map the internal environment.
Next came persistence. The attackers uploaded a renamed SoftEther VPN executable, bridge.exe, into the System32directory and registered it as a service set to start automatically.
“Renaming the VPN executable and placing it into the System32 folder helped them blend malicious activity with legitimate processes,” the analysts wrote.
The VPN bridge connected directly to attacker-controlled infrastructure, creating “a digital tunnel” that made the intruders appear as if they were operating inside the network itself.
“They bypassed network-level monitoring entirely,” ReliaQuest confirmed.
Credentials, Control, Containment
Once established, the attackers targeted IT workstations, enabling RemoteRegistry to dump the SAM database and harvest credentials. A file named pass.txt.lnk suggested active credential theft for deeper domain compromise.
ReliaQuest worked with the affected organization to contain the intrusion and eradicate the backdoor. The compromised stack was rebuilt from scratch, while ArcGIS documentation was updated to reflect the new attack vector.
Investigators also discovered that the administrator password was a weak “leet” password of unknown origin – an all-too-common factor in real-world breaches.
Lessons for Every Organization
ReliaQuest’s conclusion was blunt: “When attackers leverage your own systems to hide, it’s time to step up your defenses.”
Traditional signature-based detection, they said, is no longer sufficient. “Flax Typhoon didn’t use a known bad file; it corrupted a good one.”
The company urged defenders to:
- Audit and harden all public-facing applications. Any app with backend access is a potential open door.
- Move beyond IOC-based detection. Focus on behavioral anomalies, legitimate components doing illegitimate things.
- Enforce strong credential hygiene. Weak passwords remain a favorite attack vector.
- Treat backups with scrutiny. “What you restore may already be compromised.”
The Bigger Picture
This case is part of a growing pattern of “living-off-the-land” attacks, where adversaries weaponize legitimate software components instead of introducing malware.
“Because these attacks are so effective and difficult to detect,” ReliaQuest warned. “We assess with high confidence that this trend will not only continue but grow over the next three to six months. The new frontline isn’t the network firewall—it’s every single public-facing application you trust.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.