Chinese Hackers Exploit Mapping Tool to Hide for Over a Year

Chinese state-linked hackers managed to stay inside corporate networks for more than a year by turning a trusted mapping tool into a secret backdoor. They used a feature of Esri’s ArcGIS software, which is normally used for geographic data, to run hidden commands without being noticed.

The hackers first gained access using valid administrator credentials. Once they were inside, they uploaded a malicious Java extension called a Server Object Extension (SOE). This extension acted as a hidden web shell that accepted encoded commands through a REST API and executed them on the server.

To make the backdoor more secure for themselves, they protected it with a hardcoded secret key. This meant only someone who knew that secret could control it, making it harder for defenders to detect or remove the malicious component.

After that, the attackers installed a VPN tool known as SoftEther VPN Bridge. They registered it as a Windows service, allowing it to start automatically and maintain a constant connection to their own remote servers. This VPN tunnel used normal HTTPS traffic, making it blend in with everyday internet activity.

Through the VPN, the hackers explored the internal network, stole credentials, and tried to access other systems. Investigators said the hackers were performing hands-on operations, showing that they were directly controlling the attack rather than relying on automated scripts.

Security firm ReliaQuest linked this attack to a Chinese threat group known as Flax Typhoon. The group is known for using legitimate tools in creative ways to stay hidden for long periods without raising alarms.

What makes this case especially concerning is that the hackers didn’t use malware in the traditional sense. They abused normal software features that administrators often trust. They even made sure the malicious extension was included in backups, so restoring the system could accidentally bring the backdoor back.

Esri, the company behind ArcGIS, confirmed this is the first known case of its extension system being misused in this way. The company plans to update its documentation to help users protect against such attacks in the future.

Experts recommend tightening access controls for public-facing systems, rotating administrator passwords, and closely monitoring network traffic for suspicious connections. Backups should also be checked carefully to ensure they don’t include infected files.

This incident shows how advanced attackers are finding new ways to hide inside trusted environments. Even familiar software tools can become powerful cyber weapons when placed in the wrong hands.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news