Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year

Steven

Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year

Summary

ReliaQuest attributes a long-running compromise of a public-facing ArcGIS server to the China-linked activity group Flax Typhoon (aka Ethereal Panda / RedJuliett). The attackers turned a Java Server Object Extension (SOE) used by ArcGIS into a web shell, gated access with a hard-coded key, embedded the malicious component in system backups and maintained persistence for over a year. They also deployed a renamed SoftEther VPN binary (“bridge.exe”) as a service to create a covert VPN bridge for lateral movement and exfiltration.

Author style: Punchy — this is a clear demonstration of how trusted functionality can be weaponised; if you run ArcGIS or manage infrastructure, it’s worth digging into the full write-up.

Content Summary

The intrusion chain started with compromising a portal administrator account to upload a malicious JavaSimpleRESTSOE extension, which the adversary invoked via REST operations through the public portal. The SOE acted as a web shell, restricted by a hard-coded key so others (including administrators) couldn’t easily tamper with it. Attackers used the shell for network discovery, credential theft (targeting IT workstations), and persistence by placing a renamed SoftEther VPN executable into System32 and creating an auto-start service called “SysBridge.” That process created outbound HTTPS connections to an attacker-controlled IP on port 443, effectively extending the victim’s internal network to the adversary’s remote environment and enabling further lateral movement and data theft. ReliaQuest reports access lasted more than a year but declined to provide exact start dates.

Key Points

  • Threat actor: Flax Typhoon (also tracked as Ethereal Panda / RedJuliett), linked to a Beijing-based company in US assessments.
  • Technique: Modified ArcGIS Java SOE into a web shell invoked via standard REST operations (JavaSimpleRESTSOE).
  • Persistence: Hard-coded key plus embedding within system backups allowed survival through recoveries and prevented easy tampering.
  • Covert channel: Deployed a renamed SoftEther VPN binary (bridge.exe) as “SysBridge” service to create a covert VPN bridge over HTTPS to attacker infrastructure.
  • Lateral movement: Targeted IT workstations to harvest credentials and reset admin passwords for deeper access.
  • Operational security: Use of legitimate platform features and LotL (living-off-the-land) techniques helped the actors evade detection for >1 year.

Context and Relevance

This incident highlights an ongoing trend: attackers increasingly abuse trusted software components and administrative capabilities instead of relying solely on zero-days. By weaponising built-in extensions and normalised traffic (HTTPS on port 443), intruders can blend in and foil many detection tools. Organisations using ArcGIS or similar geospatial platforms — especially those exposing administrative portals to the internet — should treat built-in extensions and backup integrity as high-risk attack surfaces.

Why should I read this?

If you manage ArcGIS, run public-facing geospatial services or defend enterprise networks, read this. It shows you exactly how an attacker can turn a legitimate extension into a persistent backdoor and hide it in backups — and why “strong passwords + good patching” alone aren’t always enough. We’ve done the slog and boiled the technical bits down so you can act fast.

Source

Source: https://thehackernews.com/2025/10/chinese-hackers-exploit-arcgis-server.html