Security teams have been urged to adopt proactive threat hunting after a new report revealed how Chinese hackers used novel techniques to turn trusted software components into persistent backdoors.
ReliaQuest attributed the campaign to the “Flax Typhoon” APT group, a likely state-sponsored outfit known for “precise, high impact” attacks, such as those targeting Taiwanese organizations.
The report revealed that the adversaries targeted a legitimate public-facing ArcGIS (geographic information system) application. This is software that allows organizations to manage spatial data for disaster recovery, emergency management and other critical functions.
“A single compromise can disrupt core operations, expose sensitive data like infrastructure vulnerabilities attackers can exploit later, and provide a gateway for lateral movement into interconnected enterprise and operational technology (OT) networks,” ReliaQuest claimed.
Read more on Flax Typhoon: Western Agencies Warn of Risk from Chinese-Controlled Botnet
It’s unclear how initial access was achieved. However, the report claimed that post-access activity began with modifying the ArcGIS server’s Java server object extension (SOE) to behave as a web shell.
The APT group deliberately chose a public-facing ArcGIS server that was connected to a private, internal ArcGIS server for backend computations. They then:
- Compromised a portal administrator account and deployed a malicious SOE
- Activated the malicious SOE using a standard ArcGIS extension, invoking a REST operation to run commands on the internal server via the public portal. This helped to hide their activity
- Sent a malicious GET web request with a base64-encoded payload in the “layer” parameter
- Added a hardcoded key to the request. This was required to trigger the web shell and execute commands, preventing any outsiders from tampering with their access
- Uploaded a renamed SoftEther VPN executable for long-term access. This enabled them to appear as if part of the internal network, bypassing network-level monitoring and enabling lateral movement and exfiltration
- Targeted two workstations within the scanned subnet belonging to IT staff
A Wake-Up Call
Crucially, the malicious SOE web shell was stored in the victim’s backups, meaning that it persisted even after remediation and patching.
“This quiet foothold was all they needed for ‘hands-on-keyboard activity,’ enabling malicious command execution, lateral movement, and credential harvesting across multiple hosts,” the report noted.
“To prevent long-term compromises, organizations must move beyond IOC-based detection, proactively hunt for unusual behavior in legitimate tools, and treat every public-facing application as a potential high-risk asset.”
As this was the first time a malicious SOE had been used in this way, ArcGIS was forced to update its internal documentation.
“When a vendor has to rewrite its own security guidelines, it proves the flawed belief that customers treat every public-facing tool as a high-risk asset,” ReliaQuest said.
“This attack is a wake-up call: any entry point with backend access must be treated as a top-tier priority, no matter how routine or trusted.”
