Chinese state-sponsored hackers reportedly went undetected for more than a year by turning a legitimate ArcGIS component into a stealthy web shell, allowing deep access to targeted systems.
The ArcGIS geographic information system (GIS), developed by Esri, is widely used by governments, utilities, and infrastructure providers to collect and analyze spatial data. Researchers at cybersecurity firm ReliaQuest revealed that the attackers exploited ArcGIS’s server object extensions (SOE), features that extend the software’s functionality, to insert a malicious backdoor.
According to ReliaQuest, the hackers, believed to be part of the Chinese APT group Flax Typhoon, used stolen administrator credentials to log into a public-facing ArcGIS server connected to a private internal one. They then uploaded a malicious Java SOE that acted as a web shell, executing commands sent through the REST API. These commands were disguised as normal operations and secured with a secret key, ensuring only the attackers could use the backdoor.
Once inside, the attackers installed SoftEther VPN Bridge to maintain persistent access. The VPN was configured as a Windows service that started automatically, creating an encrypted HTTPS tunnel to the attackers’ remote server. This allowed them to blend in with normal traffic and continue operations even if the malicious SOE was removed.
Through this hidden VPN channel, the hackers could scan networks, move laterally, steal credentials, and exfiltrate data without relying on the web shell. ReliaQuest detected attempts to dump sensitive files such as the SAM database, registry keys, and LSA secrets from IT workstations, showing clear signs of manual, hands-on intrusion.
One discovery stood out — a file named “pass.txt.lnk”, suggesting that the attackers were actively harvesting passwords to compromise more systems within the organization.
Flax Typhoon is known for targeting government and critical infrastructure networks in long-term espionage campaigns. The group often uses legitimate tools and “living off the land” techniques to stay hidden. The FBI previously linked it to the massive Raptor Train botnet, and earlier this year, the U.S. Treasury Department sanctioned companies supporting the group.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Esri confirmed this is the first known instance of a server object extension being exploited as a web shell. The company says it plans to update its documentation to warn users about the risk of malicious SOEs and to help organizations secure their ArcGIS servers.
