Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ArcGIS system / public-facing ArcGIS server hit by data theft breach

Incident
First reported
Last updated
Happening score
H score 9
1 unique sources, 1 articles

Summary

Hide ▲

ArcGIS server was compromised and turned into a backdoor for more than a year, exposing the environment to long-term unauthorized access. Attackers used a portal administrator account and a malicious SOE/web shell to maintain covert control. The intrusion mattered because it enabled lateral movement, credential theft, and exfiltration while blending into normal server traffic.

Related Happenings

BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam

Malware Activity
First: 30.01.2026 14:08 Last: 30.01.2026 14:08 Sources 1

About this happening: **BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...

Open Happening

ArcGIS SOE web shell and SoftEther VPN Bridge persistence analysis

Technical Analysis
First: 14.10.2025 15:28 Last: 14.10.2025 15:28 Sources 1

About this happening: **ArcGIS** server extensions were turned into a stealthy web shell, enabling long-lived internal access and persistence beyond the portal. The intrusion matters because the operat...

Open Happening

Flax Typhoon ArcGIS web-shell persistence campaign

Campaign
First: 14.10.2025 15:00 Last: 14.10.2025 15:00 Sources 1

How related: The activity, per ReliaQuest, is the handiwork of a Chinese state-sponsored hacking group called Flax Typhoon, which is also tracked as Ethereal Panda and RedJuliett.

About this happening: **Flax Typhoon** is conducting a **campaign** that abuses a legitimate **public-facing ArcGIS** application to create persistent backdoor access, raising the risk of lateral movem...

Open Happening

UAT-8099 IIS hijacking SEO fraud campaign

Campaign
First: 03.10.2025 16:00 Last: 03.10.2025 16:00 Sources 1

About this happening: The **UAT-8099** campaign is hijacking **IIS servers** at reputable organizations across **Brazil, Canada, India, Thailand, and Vietnam**, turning them into infrastructure for **S...

Open Happening

Timeline

  1. 14.10.2025 19:55 2 articles · 7mo ago

    Flax Typhoon ArcGIS backdoor analysis

    Technical Analysis Update

    ReliaQuest attributed a long-running compromise of a public-facing ArcGIS server to Flax Typhoon, also tracked as Ethereal Panda and RedJuliett, and said the group modified a Java server object extension (SOE) into a web shell to maintain control of the affected organization for more than a year. The activity included a compromised portal administrator account, a hardcoded key for access control, a renamed SoftEther VPN executable ("bridge.exe") placed in "System32", a "SysBridge" service for persistence, outbound HTTPS connections to an attacker-controlled IP address, and targeting of two IT workstations to obtain credentials and support lateral movement and exfiltration.

    Show sources
    Open in new tab