Chinese-Linked Group Compromises Geo-Mapping System

Threat actors with ties to China have been attributed to a novel campaign that compromised an ArcGIS system, turning it into a backdoor for more than a year. The cybersecurity company ReliaQuest reported that the activity is the work of a Chinese state-sponsored hacking group known as Flax Typhoon. This group is also tracked under the names Ethereal Panda and RedJuliett. According to the U.S. government, the group is assessed to be a publicly-traded, Beijing-based company called Integrity Technology Group.

The group’s attack vector was highly sophisticated, targeting a popular geo-mapping application to establish a covert foothold within the victim’s network. This long-term persistence highlights the advanced capabilities and stealthy nature of the threat actor, which is known for its living-off-the-land techniques.

Advanced Technique for Long-Term Persistence

ReliaQuest’s analysis revealed the specific method used by Flax Typhoon to maintain access. “The group cleverly modified a geo-mapping application’s Java server object extension (SOE) into a functioning web shell,” the company stated in its report. This modification allowed the attackers to execute commands on the compromised server remotely.

To ensure their exclusive control and long-term presence, the attackers implemented several key features. “By gating access with a hardcoded key for exclusive control and embedding it in system backups, they achieved deep, long-term persistence that could survive a full system recovery,” ReliaQuest explained. This technique of embedding the backdoor into system backups made the malicious code exceptionally difficult to detect and remove, allowing the group to remain undetected for over a year.

Source: https://thehackernews.com/2025/10/chinese-hackers-exploit-arcgis-server.html