A China-backed threat group exploited what ReliaQuest researchers called a “common security blind spot” to maintain persistence in a widely used geospatial data management application for more than a year by turning one of the tool’s features into a webshell.

Essentially, Flax Typhoon, rather than leveraging its own tools, turned a popular software into persistent backdoors that were used to move laterally through multiple hosts, run malicious command execution, and harvest credentials. The group also was better able to evade detection and ensure access even if the user used backups to restore their systems.

“This attack truly stands out for its sheer ingenuity preying on a common security blind spot: the inherent trust placed in legitimate software components,” ReliaQuest’s threat research teams wrote in a report his week. “Instead of using a known malicious tool, the attackers opted to repurpose a legitimate ArcGIS SOE [server object extension] into a covert web shell. This allowed their movements to cleverly appear as normal system operations, bypassing detection tools focused on known-bad artifacts.”

‘Insidious’ Method

The researchers added that “this made the security team’s job exponentially harder, as they were hunting for malware while the threat was disguised as a trusted process.”

In addition, the advanced persistent threat (APT) group – part of China’s larger cyberespionage program – used a hardcoded key to keep other attackers or admins from tampering with its access.

“The group’s persistence method was even more insidious,” ReliaQuest researchers wrote. “By ensuring the compromised component was included in system backups, they turned the organization’s own recovery plan into a guaranteed method of reinfection. This tactic turns a safety net into a liability, meaning incident response teams must now treat backups not as failsafe, but as a potential vector for reinfection.”

Cyberespionage is the Goal

Flax Typhoon has been around since 2021 and is known for running espionage operations against entities in the United States, Taiwan, and Europe. According to ReliaQuest, will stay dormant for long periods of time while it works out its next “precise, high-impact” attack, with a focus on critical infrastructure.

The researchers added that “it’s highly likely that its re-emergence is not a random event, making this attribution significant for defenders.” Given that, they said it was likely – a 55% to 70% chance – that Flax Typhoon is either active in new networks or targeting its next victim, they wrote.

Turning a Function into a Webshell

In the report, they wrote that Flax Typhoon compromised a portal administrator account and deployed a malicious SOE. SOEs are used by organizations to create custom service operations that extend the base functionality of map or image services. The threat group found a public-facing ArcGIS server that was connected to a private, internal ArcGIS server for backend computations, which is a common default configuration, according to ReliaQuest. The bad actors sent commands instructing the server to create a hidden system directory named “Bridge” that worked as their private workspace for the attackers. They got the ArcGIS server SOE to act as a webshell.

They included a hardcoded key that helped trigger the web shell and executive commands.

“They then repeatedly abused this same web shell to run additional encoded PowerShell commands; all routed through the same ‘JavaSimpleRESTSOE’ extension and ‘getLayerCountByType’ operation,” the researchers wrote. “This consistent method allowed them to advance their objectives while blending in with normal server traffic.”

The threat group also uploaded a renamed SoftEther VPN executable for long-term access, so they could appear as if part of the internal network, bypass network-level monitoring, move laterally, and exfiltrate credentials. It targeted two particular workstations within a scanned subnet that belonged to IT personnel, which the researchers said made them high-value targets that could be exploited further.

ReliaQuest wrote that the attack was so unique that it resulted in an update to ArcGIS’ documentation.

Existing Gap

Flax Typhoon’s weaponization of legitimate functions in software isn’t new. Microsoft Threat Intelligence last year outlined a campaign against dozens of organizations in Taiwan and noted that “Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks.”

That said, the recent campaign by the group exploited a weakness that “exists in any public-facing application an organization considers ‘safe,’” ReliaQuest wrote, adding that “a gap will always exist between a product’s built-in security and the unique ways it is deployed. Attackers are skilled at operating in this gap. This situation also reveals a common disconnect between the assumption that security best practices are always being followed and the complex realities of real-world environments.”

Move Beyond IOC

Weaponizing a legitimate software function can challenge an organization’s defense and recovery strategies, making a security product vulnerable if the operating environment also isn’t rigorously managed, the researchers wrote.

“This forces a critical shift in security thinking, away from asking ‘Is this file malicious?’ to ‘Is this application behaving as expected?’” they wrote. “If you lack visibility into the normal behavior of your applications, you are blind to this entire class of attack.”

Organizations need to treat all public-facing applications as high-risk assets and expand beyond indicators of compromised-based detecting to auditing systems to eliminate the blind spots that attackers rely on, according to ReliaQuest.