China-linked Flax Typhoon tweaked ArcGIS plugin to act as stealthy backdoor

Security researchers have uncovered how a state-linked espionage group quietly turned a trusted ArcGIS plugin into a remote shell, maintaining access for over a year and even infecting system backups.

The group, tracked as Flax Typhoon by the infosec industry and identified with moderate confidence by ReliaQuest as the state-sponsored threat actor, first compromised a public-facing ArcGIS portal administrator account before deploying malicious code on an internal server.

Evidence from ReliaQuest's targeted customer showed the attacker reset the administrator password to a "leet" (1337) variant, suggesting they already possessed a level of access to the account.

Once inside, the attackers modified a legitimate ArcGIS server object extension (SOE), altering the Java code to create a hidden command interface that accepted base64-encoded instructions and executed them on the host machine.

Instead of dropping new files, the attackers altered an approved component already installed on the system.

This allowed the attackers to operate without deploying recognisable malware, evading scanners that rely on known threat signatures.

Once the compromised SOE was active, Flax Typhoon used it to map the network and establish long-term persistence, locking out competing intruders with a hard-coded access key.

The attackers also installed a renamed SoftEther virtual private network (VPN) binary into the Windows System32 directory, registered it as a service, and maintained control through an encrypted tunnel that blended with ordinary traffic.

They configured the VPN to use HTTPS protocol on port 443, encapsulating Ethernet packets into compliant HTTPS traffic that network security appliances rarely block.

Furthermore, since the SOE was deemed to be a legitimate ArcGIS plugin, the backdoor also appeared in subsequent system backups, meaning restoring from those backups reintroduced the threat.

ArcGIS is a geographic information system developed by American company Environmental Systems Research Institute (Esri).

It is used to visualise, analyse, and manage spatial data for critical functions including disaster recovery, urban planning, and emergency management.

A single ArcGIS compromise can expose sensitive infrastructure data, emergency response capabilities, and pathways into interconnected operational technology networks.

The platform's use in mapping infrastructure vulnerabilities makes it particularly valuable for state-sponsored espionage operations focused on pre-positioning for future attacks.

Esri confirmed to ReliaQuest that this novel technique was the first documented case of a malicious SOE being weaponised in this manner.

ReliaQuest suggested behavioural monitoring could have exposed the attack sooner, along with tracking unexpected network activity from server components.

Defenders also need to verify cryptographic integrity of trusted components, and not just rely on file names or digital signatures.

A quiet, patient threat actor

Flax Typhoon has operated since at least mid-2021, primarily targeting Taiwanese government agencies, education institutions, critical manufacturing firms, and information technology organisations.

Microsoft security research shows the group has also compromised victims in Southeast Asia, North America, and Africa.

The group's preferred tools include China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, and Mimikatz for credential dumping.

However, they rely predominantly on living-off-the-land techniques, using legitimate system utilities to avoid detection.

Initial access typically involves exploiting known vulnerabilities in public-facing servers running VPN, web, Java, or SQL applications.

After gaining entry, Flax Typhoon employs a persistence technique involving Windows accessibility features.

The attackers disable Network Level Authentication for Remote Desktop Protocol (RDP), then modify Windows Registry keys to replace the Sticky Keys binary.

This allows them to press the Shift key five times at the login screen to launch Task Manager with system privileges, bypassing authentication entirely.