Chinese state-backed hacking group Flax Typhoon has been exploiting a feature within Esri’s ArcGIS software to maintain covert access to targeted systems for more than a year, according to new findings from ReliaQuest. The group, active since at least 2021 and known for espionage operations against entities in the U.S., Europe, and Taiwan, weaponized ArcGIS’s Server Object Extension (SOE) to transform the software into a webshell—essentially turning legitimate features into tools for persistent compromise.
Researchers found that the attackers targeted a public-facing ArcGIS server linked to a private backend server. By compromising the portal administrator credentials, they deployed a malicious extension that forced the system to create a hidden directory, which became their private command and control workspace.
This extension included a hardcoded key, shielding their access from others while ensuring persistence. The hackers maintained this access long enough for the malicious file to become embedded in backup systems, effectively guaranteeing reinfection even if administrators restored the system from backups.
ReliaQuest described this as a particularly deceptive attack chain that allowed the group to mimic normal network activity, thereby bypassing typical detection mechanisms. Because the infected component was integrated into backup files, standard recovery protocols became a liability — a compromised backup meant a built-in reinfection vector. The tactic showcases Flax Typhoon’s hallmark strategy of exploiting trusted internal processes and tools rather than relying on advanced malware or sophisticated exploits.
This method is consistent with Flax Typhoon’s history of leveraging legitimate software components for espionage. Microsoft had previously documented the group’s capability to maintain long-term access to dozens of Taiwanese organizations using built-in Windows utilities and benign applications for stealth. The U.S. Treasury Department has sanctioned Integrity Technology Group, a Beijing-based company implicated in supporting Flax Typhoon’s operations, including managing infrastructure for a major botnet dismantled by the FBI.
ReliaQuest warned that the real danger extends beyond ArcGIS or Esri’s ecosystem — it highlights the inherent risks in enterprise software that depends on third-party extensions or backend access. The researchers called the case a “wake-up call,” urging organizations to treat every interface with backend connectivity as a high-risk access point, regardless of how routine or trusted it appears.