Flax Typhoon Persistence via ArcGIS Server Object Extension Web Shell
Chinese state-sponsored hackers, identified as the Flax Typhoon group, maintained undetected access to a target environment for over a year by exploiting a feature in the ArcGIS geographic information system (GIS) software. ArcGIS, developed by Esri, is widely used by municipalities, utilities, and infrastructure operators for managing spatial and geographic data. The attackers leveraged valid administrator credentials to access a public-facing ArcGIS server, which was connected to an internal server, allowing them to upload a malicious Java-based Server Object Extension (SOE). This SOE acted as a web shell, accepting base64-encoded commands via a REST API parameter and executing them on the internal server, masquerading as routine operations. The web shell was protected by a hardcoded secret key, ensuring exclusive access for the attackers. Researchers at ReliaQuest, who discovered the intrusion, have moderate confidence that Flax Typhoon was responsible, based on the tactics and infrastructure observed. To further entrench their presence, the attackers used the malicious SOE to install SoftEther VPN Bridge on the compromised system, registering it as a Windows service for persistence. The VPN established an outbound HTTPS tunnel to attacker-controlled infrastructure, blending in with legitimate traffic on port 443 and enabling continued access even if the SOE was removed. This allowed the threat actors to scan the local network, move laterally, and potentially exfiltrate sensitive data. The attack chain was described as unusually clever, as it allowed the group to maintain access even if the victim attempted to restore from backups. Flax Typhoon has a history of targeting organizations in the U.S., Europe, and Taiwan, and this campaign demonstrates their ability to weaponize legitimate software features for long-term espionage. The use of ArcGIS’s extensibility through SOEs provided a stealthy and persistent foothold, complicating detection and remediation efforts. The attackers’ operational security was enhanced by the use of hardcoded secrets and encrypted communications. The campaign highlights the risks associated with exposing administrative interfaces of widely used enterprise software to the internet. ReliaQuest’s findings underscore the importance of monitoring for unusual SOE deployments and outbound VPN connections from critical infrastructure. The incident also illustrates the broader trend of advanced persistent threat (APT) groups abusing legitimate software features to evade detection. Organizations using ArcGIS and similar platforms are advised to audit their server configurations, restrict administrative access, and monitor for anomalous activity. The persistence and sophistication of the Flax Typhoon group reinforce the need for layered security controls and regular threat hunting in environments with high-value data. This incident serves as a warning for all organizations relying on extensible enterprise software, emphasizing the need for vigilance against supply chain and feature abuse attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Guidance issued to inspect ArcGIS extensions and rebuild affected systems
Following disclosure, reporting highlighted recommended remediation steps including isolating ArcGIS servers, rotating credentials, verifying SOEs and SOIs for unauthorized changes, and rebuilding from clean media. The incident also prompted updates to ArcGIS-related defensive guidance and calls for stronger code-integrity validation.
Public reporting links ArcGIS backdoor activity to Flax Typhoon
Multiple security outlets publicly reported in mid-October 2025 that the China-backed group Flax Typhoon had abused ArcGIS Server as a long-term backdoor. The reporting consolidated attribution, tradecraft details, and the persistence mechanism used in the intrusion.
Compromised backups turn recovery process into reinfection vector
The malicious ArcGIS component was embedded in system backups, meaning restoration from affected backups could reintroduce the backdoor. This made standard recovery plans ineffective unless organizations rebuilt from known-good media.
Flax Typhoon uses compromised ArcGIS server for lateral movement and credential theft
After establishing persistence, the attackers targeted high-value IT workstations, harvested credentials, and moved laterally within the network. Reporting also says they deployed a renamed SoftEther VPN executable and relied on living-off-the-land techniques to avoid detection.
Attackers maintain covert access in ArcGIS environment for over a year
The malicious ArcGIS SOE allowed Flax Typhoon to persist in the compromised environment for more than a year while blending in with normal server operations. The backdoor reportedly included a hardcoded key for exclusive control and could survive routine recovery efforts.
Flax Typhoon compromises ArcGIS Server and implants malicious SOE
A China-linked threat group identified as Flax Typhoon modified a legitimate ArcGIS Server Java server object extension (SOE) to function as a covert web shell. The attackers used the trusted geospatial application itself as a backdoor to gain stealthy access to the victim environment.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Breach Roundup: Chinese Hackers Exploited ArcGIS
govinfosecurity.com
Open sourceChina-Backed Flax Typhoon APT Maintained Year-Long Access by Turning ArcGIS SOE into Web Shell Backdoor
securityonline.info
Open sourceFlax Typhoon APT exploited ArcGIS server for over a year as a backdoor
securityaffairs.com
Open sourceFlax Typhoon exploited ArcGIS to gain long-term access
csoonline.com
Open sourceChina’s Flax Typhoon Exploits ArcGIS App for Year-Long Persistence
securityboulevard.com
Open sourceFlax Typhoon can turn your own software against you
cyberscoop.com
Open sourceChinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year
thehackernews.com
Open sourceChinese hackers abuse geo-mapping tool for year-long persistence
bleepingcomputer.com
Open sourceChina's Flax Typhoon Turns Geo-Mapping Server into a Backdoor
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Linked Volt Typhoon and Flax Typhoon Use Stealthy Access in Critical Sectors
Microsoft and U.S. officials said China-linked threat groups **Volt Typhoon** and **Flax Typhoon** used living-off-the-land techniques and legitimate software to quietly compromise targets while minimizing detection. Volt Typhoon was tied to intrusions affecting U.S. critical infrastructure, with reporting describing the group as breaching networks through stealthy post-compromise activity rather than malware-heavy tradecraft. U.S. agencies later warned that the campaign appeared aimed at **pre-positioning** inside critical infrastructure for potential disruptive or destructive operations. Microsoft separately reported that **Flax Typhoon** targeted organizations in Taiwan for cyber-espionage, relying on valid credentials, remote access tools, and other trusted utilities to maintain persistence and blend into normal network activity. Subsequent reporting and later tracking indicated that Volt Typhoon remained active against U.S. infrastructure, reinforcing concerns that Chinese state-linked operators are sustaining long-term access across strategically important environments while using native tools and legitimate software to evade defenders.
May 26, 2026
Flax Typhoon Used Raptor Train IoT Botnet to Mask Critical Infrastructure Intrusions
U.S. authorities and private-sector researchers said the China-linked threat actor **Flax Typhoon** operated a sprawling IoT botnet known as **Raptor Train** to conceal intrusions into critical infrastructure networks. Black Lotus Labs said the botnet had been active since 2020, at one point exceeding 60,000 live nodes and compromising more than 200,000 routers, NAS devices, IP cameras, and other internet-exposed systems. The operation used a multi-tier architecture and a custom Mirai-derived implant called `Nosedive`, which enabled remote command execution, file transfer, and retained **DDoS** capability while using in-memory execution and anti-forensics techniques. Researchers linked the activity to targeting in the United States and Taiwan across government, military, telecommunications, higher education, defense industrial base, and IT sectors, alongside scanning and likely exploitation attempts against **Atlassian Confluence** and **Ivanti Connect Secure** appliances. The **FBI** and Department of Justice said they disrupted the botnet in a court-authorized operation that removed malware from infected routers, and officials later said the action effectively dismantled infrastructure used by Chinese operators to hide follow-on hacking. Subsequent reporting said the botnet exploited dozens of vulnerabilities across edge and IoT products, with VulnCheck identifying **66 actively targeted CVEs** tied to the campaign, far more than were listed in CISA’s Known Exploited Vulnerabilities catalog. Additional reporting also pointed to corporate links around **Integrity Technology**, described as connected to Flax Typhoon and tied through competitive, partner, and client relationships to **i-SOON**, adding to the picture of a broader Chinese intrusion ecosystem supporting espionage and potential disruptive operations.
May 26, 2026
Salt Typhoon Espionage Attack on European Telecommunications Provider
Salt Typhoon, a China-linked advanced persistent threat (APT) group, conducted a sophisticated cyber espionage campaign targeting a European telecommunications organization. The attackers gained initial access by exploiting a Citrix NetScaler Gateway appliance, then moved laterally to internal Citrix Virtual Delivery Agent hosts. They used DLL sideloading via legitimate antivirus software to deploy the SNAPPYBEE (Deed RAT) backdoor, leveraging LightNode VPS endpoints and non-standard protocols for command-and-control to evade detection. The operation was detected by Darktrace and highlights the group’s focus on intelligence collection and geopolitical influence across critical infrastructure sectors. Security experts emphasize the evolving tactics, techniques, and procedures (TTPs) of Salt Typhoon, including the exploitation of zero-day vulnerabilities and outdated infrastructure. The incident underscores the challenges of defending public-facing appliances and the importance of robust network visibility and proactive threat detection. Organizations in telecommunications and other critical sectors are urged to strengthen their defenses against state-sponsored threats by improving monitoring, patch management, and incident response capabilities.
Mar 21, 2026