Researchers have discovered that the Flax Typhoon group (also known as Ethereal Panda / RedJuliett) had turned an ArcGIS server component into a hidden web shell and maintained access to the victim’s network for over a year, using a modified SOE and a SoftEther-based “bridge” for a hidden VPN channel.
The attack consisted of deploying a modified Java SOE (Server Object Extension) in a publicly accessible ArcGIS portal: the attackers activated this module via a standard REST call, added a hardcoded access key, and thus obtained a hidden control channel that is difficult to detect with conventional monitoring tools. Through the backdoor, they performed network reconnaissance, uploaded a modified SoftEther binary to the server (renamed to `bridge.exe`), created a service called “SysBridge” and established a persistent reverse VPN bridge — making them “part” of the victim’s internal network and allowing for further lateral movement and data exfiltration. To escalate, the attackers carefully selected their targets and focused on IT staff workstations, where they gained administrative privileges and changed passwords.
Flax Typhoon is a group with a history of sophisticated, living-off-the-land operations, known for its adaptive tactics: using legitimate system components and procedures to hide their actions. This incident illustrates a trend where attackers are choosing to replace/abuse trusted extensions and backups instead of brute-force exploits to achieve long-term persistence, even after a normal system recovery.
Organizations using ArcGIS and other critical enterprise platforms should immediately:
verify the integrity of server extensions and backups;
apply the latest patches and updates;
force reset administrative account passwords and enable multi-factor authentication;
Increase monitoring of non-standard outbound HTTPS connections and services;
Segment networks and restrict service launch rights;
Audit and respond to indicators of compromise (IOCs). The “trusted component defense” approach should be a priority, as they are becoming the new favorite launch pad for deep and persistent attacks.
