{"id":3240,"date":"2025-10-15T07:58:16","date_gmt":"2025-10-15T07:58:16","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/10\/15\/chinese-hackers-use-trusted-arcgis-app-for-year-long-persistence\/"},"modified":"2025-10-15T07:58:16","modified_gmt":"2025-10-15T07:58:16","slug":"chinese-hackers-use-trusted-arcgis-app-for-year-long-persistence","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/10\/15\/chinese-hackers-use-trusted-arcgis-app-for-year-long-persistence\/","title":{"rendered":"Chinese Hackers Use Trusted ArcGIS App For Year-Long Persistence"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"https:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Security teams have been urged to adopt proactive threat hunting\u00a0after a new report revealed how Chinese hackers used novel techniques to turn trusted software components into persistent backdoors.<\/p>\n<p>ReliaQuest attributed the campaign to the \u201cFlax Typhoon\u201d APT group, a likely state-sponsored outfit known for \u201cprecise, high impact\u201d attacks, such as those targeting Taiwanese organizations.<\/p>\n<p>The report revealed that the adversaries targeted a legitimate public-facing ArcGIS (geographic information system) application. This is software that allows organizations to manage spatial data for disaster recovery, emergency management and other critical functions.<\/p>\n<p>\u201cA single compromise can disrupt core operations, expose sensitive data like infrastructure vulnerabilities attackers can exploit later, and provide a gateway for lateral movement into interconnected enterprise and operational technology (OT) networks,\u201d ReliaQuest claimed.<\/p>\n<p><em>Read more on Flax Typhoon: Western Agencies Warn of Risk from Chinese-Controlled Botnet<\/em><\/p>\n<p>It\u2019s unclear how initial access was achieved. However, the report claimed that post-access activity began with modifying the\u00a0ArcGIS server\u2019s Java server object extension (SOE) to behave as a web shell.<\/p>\n<p>The APT group deliberately chose a public-facing ArcGIS server that was connected to a private, internal ArcGIS server for backend computations. They then:<\/p>\n<ul>\n<li>Compromised a portal administrator account and deployed a malicious SOE<\/li>\n<li>Activated the malicious SOE using a standard ArcGIS extension, invoking a REST operation to run commands on the internal server via the public portal. This helped to hide their activity<\/li>\n<li>Sent a malicious GET web request with a base64-encoded payload in the \u201clayer\u201d parameter<\/li>\n<li>Added a hardcoded key to the request. This was required to trigger the web shell and execute commands, preventing any outsiders from tampering with their access<\/li>\n<li>Uploaded a renamed SoftEther VPN executable for long-term access. This enabled them to appear as if part of the internal network, bypassing network-level monitoring\u00a0and enabling lateral movement and exfiltration<\/li>\n<li>Targeted two workstations within the scanned subnet belonging to IT staff<br \/> \t\u00a0<\/li>\n<\/ul>\n<h2>A Wake-Up Call<\/h2>\n<p>Crucially, the malicious SOE web shell was stored in the victim\u2019s backups, meaning that it persisted even after remediation and patching.<\/p>\n<p>\u201cThis quiet foothold was all they needed for \u2018hands-on-keyboard activity,\u2019 enabling malicious command execution, lateral movement, and credential harvesting across multiple hosts,\u201d the report noted.<\/p>\n<p>\u201cTo prevent long-term compromises, organizations must move beyond IOC-based detection, proactively hunt for unusual behavior in legitimate tools, and treat every public-facing application as a potential high-risk asset.\u201d<\/p>\n<p>As this was the first time a malicious SOE had been used in this way, ArcGIS was forced to update its internal documentation.<\/p>\n<p>\u201cWhen a vendor has to rewrite its own security guidelines, it proves the flawed belief that customers treat every public-facing tool as a high-risk asset,\u201d ReliaQuest said.<\/p>\n<p>\u201cThis attack is a wake-up call: any entry point with backend access must be treated as a top-tier priority, no matter how routine or trusted.\u201d<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Security teams have been urged to adopt proactive threat hunting\u00a0after a new report revealed how Chinese hackers used novel techniques to turn trusted software components into persistent backdoors. ReliaQuest attributed the campaign to the \u201cFlax Typhoon\u201d APT group, a likely state-sponsored outfit known for \u201cprecise, high impact\u201d attacks, such as those targeting Taiwanese organizations. The<\/p>\n","protected":false},"author":2,"featured_media":3241,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3240","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3240-4489af34-1786-450b-929a-0f191671beb8.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3240-4489af34-1786-450b-929a-0f191671beb8-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3240-4489af34-1786-450b-929a-0f191671beb8.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3240-4489af34-1786-450b-929a-0f191671beb8.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3240-4489af34-1786-450b-929a-0f191671beb8.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3240-4489af34-1786-450b-929a-0f191671beb8.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3240-4489af34-1786-450b-929a-0f191671beb8.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3240-4489af34-1786-450b-929a-0f191671beb8.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3240-4489af34-1786-450b-929a-0f191671beb8.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3240-4489af34-1786-450b-929a-0f191671beb8.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3240-4489af34-1786-450b-929a-0f191671beb8-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3240","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3240"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3240\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3241"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}