Overview
- ReliaQuest linked the activity with moderate confidence to the China‑nexus group Flax Typhoon, which used valid administrator credentials on a public ArcGIS portal tied to an internal server.
- The attackers uploaded a Java Server Object Extension that functioned as a web shell, accepting base64‑encoded commands via a REST parameter and gating access with a hardcoded key.
- Using the implant, the group deployed a renamed SoftEther VPN Bridge as a persistent Windows service, creating an outbound HTTPS tunnel that blended with normal traffic for covert lateral access.
- Because the malicious extension was included in system backups, restoration efforts re‑installed the backdoor and guaranteed reinfection.
- Researchers observed hands‑on‑keyboard actions against two IT workstations to harvest credentials, and reporting notes prior U.S. sanctions on Integrity Technology Group linked to supporting Flax Typhoon operations.