Overview

• ReliaQuest’s new report attributes a year-plus intrusion to the China-linked Flax Typhoon group that maintained access to a private ArcGIS server.
• The attackers modified a legitimate Server Object Extension into a webshell that accepted base64 commands via a 'layer' parameter and required a hardcoded key to activate.
• The malicious component was preserved in system backups, enabling reinfection after cleanup, while the initial access method remains undisclosed.
• The operation expanded through a renamed SoftEther VPN Bridge installed as a Windows service that tunneled over HTTPS to 172.86.113.142, facilitating lateral movement and credential theft on IT staff workstations.
• Esri confirmed this is the first known SOE abuse of this kind and updated documentation, as researchers urge defenders to treat public-facing backend-capable apps and backups as high-risk and to prioritize behavior-based threat hunting; recent U.S. actions include sanctions on Integrity Technology Group linked to Flax Typhoon support.