Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year
Category:Threat Alerts / Threat Intelligence
ReliaQuest attributes a year-long stealthy intrusion to Flax Typhoon (aka Ethereal Panda/RedJuliett), modifying an ArcGIS Java SOE into a gated web shell and embedding it into backups for persistence. The actors leveraged a hardcoded key to control access, used SoftEther (bridge.exe) as a covert VPN, stood up a SysBridge service for auto-start, and targeted IT workstations to harvest credentials and reset admin passwords. The tactic weaponizes trusted extensions and observability paths to blend into legitimate traffic. Abuse of public-facing ArcGIS servers underscores the risk of LOTL operations on geospatial platforms used by municipal and infrastructure operators. Persistence through backup propagation complicates recovery and incident response, requiring artifact- and backup-hygiene-focused eradication and credential resets.
CORTEX Protocol Intelligence Assessment
{"Business Impact":"Espionage-grade persistence on geo platforms risks network extension, data access, and operational secrecy loss.","Technical Context":"Malicious SOE web shell with hardcoded key; SoftEther-based covert VPN (bridge.exe); persistence via backup embedding."}
Strategic Intelligence Guidance
- Audit ArcGIS SOEs and disable/verify unsigned extensions; rotate admin creds.
- Hunt for SoftEther artifacts, SysBridge services, and anomalous 443 egress.
- Validate backup integrity; remove malicious extensions from backup chains.
- Implement WAF rules and MFA for admin portals; restrict public access.
Vendors
Threats
Targets
Impact
Financial:1+ year persistence
Intelligence Source: Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year | Oct 15, 2025