Flax Typhoon Exploits ArcGIS Server: A No-Malware, No-Login Takeover Exposed

China’s Flax Typhoon group has carried out a stealthy cyberattack by turning a trusted geo-mapping server into a secret backdoor. Security researchers discovered that the attackers exploited ArcGIS Server software to stay hidden inside networks for over a year. What makes this attack alarming is that it didn’t use typical malware but instead relied on legitimate software components to maintain access. This made the operation almost invisible to traditional security tools.

Instead of inserting new malicious files, the attackers modified an existing Server Object Extension (SOE) within ArcGIS. This feature is normally used to extend mapping functions, but the hackers reprogrammed it into a hidden web shell. Through it, they could execute system commands remotely while the software appeared to work normally. Because the SOE was part of the trusted program, security systems didn’t flag anything suspicious.

The attackers are believed to have first gained access through a compromised administrator account on a public-facing ArcGIS server. Once inside, they deployed their altered SOE and included a hardcoded access key, giving them exclusive control. The backdoor was disguised among normal system files, blending in with the legitimate environment. This gave Flax Typhoon full command access while staying undetected.

To ensure persistence, the hackers placed their modified files inside system backups. They also created a hidden folder called “Bridge” to store their tools and maintain operations. By infecting backups, the attackers guaranteed that restoring the server wouldn’t remove their access. This method allowed them to quietly survive security cleanups and continue their activity without being noticed.

After securing control, the group installed a renamed VPN tool called “bridge.exe” and set it up as a service named “SysBridge.” The program automatically launched at every startup, reconnecting the attackers to the network. This VPN connection made it look like their remote system was part of the internal environment. From there, they could move across systems and collect sensitive data.

Security analysts have linked the incident to Flax Typhoon, a China-based advanced persistent threat group. The group is known for using “living off the land” techniques abusing existing tools instead of installing new malware. This strategy helps them stay hidden for long periods while carrying out espionage and intelligence-gathering missions.

The attack shows how even trusted software can become a major security risk when manipulated by skilled attackers. It’s a reminder that cybersecurity isn’t only about blocking malicious programs it’s about watching how legitimate systems behave. Organizations must pay attention to irregular network activity or commands coming from internal software.

Experts recommend auditing software extensions, checking backup files, and enforcing strong authentication methods. Limiting administrative privileges and monitoring unusual processes can also help detect such hidden threats. The Flax Typhoon attack is a clear example of how sophisticated cyber groups now exploit the tools we trust the most.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news