ArcGIS SOE web shell and SoftEther VPN Bridge persistence analysis
Technical Analysis
Summary
Hide ▲
Show ▼
ArcGIS server extensions were turned into a stealthy web shell, enabling long-lived internal access and persistence beyond the portal. The intrusion matters because the operator used the backdoor to install SoftEther VPN Bridge, create an outbound HTTPS tunnel, and reach deeper into the victim network.
Related Happenings
BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave
Exploitation Wave
First: 12.02.2026 23:34
Last: 12.02.2026 23:34
Sources 1
About this happening:
**CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...
BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...
UAT-8099 IIS SEO fraud campaign targeting vulnerable Asia-based IIS servers
Campaign
First: 30.01.2026 14:08
Last: 30.01.2026 14:08
Sources 1
About this happening:
**UAT-8099** launched a **late 2025 to early 2026** campaign against **vulnerable IIS servers** across **Asia**, with the strongest concentration in **Thailand and Vietnam**. The...
UAT-8099 IIS SEO fraud campaign targeting vulnerable Asia-based IIS servers
CampaignAbout this happening: **UAT-8099** launched a **late 2025 to early 2026** campaign against **vulnerable IIS servers** across **Asia**, with the strongest concentration in **Thailand and Vietnam**. The...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware Activity
First: 30.01.2026 14:08
Last: 30.01.2026 14:08
Sources 1
About this happening:
**BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware ActivityAbout this happening: **BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
ArcGIS system / public-facing ArcGIS server hit by data theft breach
Incident
First: 14.10.2025 19:55
Last: 14.10.2025 19:55
Sources 1
About this happening:
**ArcGIS server** was **compromised** and turned into a **backdoor** for **more than a year**, exposing the environment to long-term unauthorized access. Attackers used a **portal...
ArcGIS system / public-facing ArcGIS server hit by data theft breach
IncidentAbout this happening: **ArcGIS server** was **compromised** and turned into a **backdoor** for **more than a year**, exposing the environment to long-term unauthorized access. Attackers used a **portal...
Flax Typhoon ArcGIS web-shell persistence campaign
Campaign
First: 14.10.2025 15:00
Last: 14.10.2025 15:00
Sources 1
How related:
The researchers found Flax Typhoon actors compromised an organization's public-facing ArcGIS server and used the access to turn a trusted application into a backdoor.
About this happening:
**Flax Typhoon** is conducting a **campaign** that abuses a legitimate **public-facing ArcGIS** application to create persistent backdoor access, raising the risk of lateral movem...
Flax Typhoon ArcGIS web-shell persistence campaign
CampaignHow related: The researchers found Flax Typhoon actors compromised an organization's public-facing ArcGIS server and used the access to turn a trusted application into a backdoor.
About this happening: **Flax Typhoon** is conducting a **campaign** that abuses a legitimate **public-facing ArcGIS** application to create persistent backdoor access, raising the risk of lateral movem...
Timeline
-
14.10.2025 15:28 3 articles · 7mo ago
ArcGIS SOE web shell and SoftEther VPN Bridge persistence
Technical Analysis UpdateReliaQuest assessed that Chinese state hackers likely Flax Typhoon used valid administrator credentials to access a public-facing ArcGIS server linked to a private internal ArcGIS server, uploaded a malicious Java SOE that accepted base64-encoded commands through the REST API parameter layer, and used that access to install SoftEther VPN Bridge as a Windows service for persistence and outbound HTTPS tunneling to 172.86.113[.]142.
Show sources
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- Chinese hackers abuse geo-mapping tool for year-long persistence — www.bleepingcomputer.com — 14.10.2025 15:28
- China's Flax Typhoon Turns Geo-Mapping Server into a Backdoor — www.darkreading.com — 15.10.2025 00:12