Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Flax Typhoon ArcGIS web-shell persistence campaign

Campaign
First reported
Last updated
Happening score
H score 32
2 unique sources, 2 articles

Summary

Hide ▲

Flax Typhoon is conducting a campaign that abuses a legitimate public-facing ArcGIS application to create persistent backdoor access, raising the risk of lateral movement and credential harvesting. The operation matters because the adversaries turned trusted infrastructure into a covert entry point that can survive ordinary remediation. Their access path used a malicious SOE/web shell chain and a renamed SoftEther VPN tool to blend into internal traffic.

Related Happenings

Storm-1175 high-velocity exploit campaign

Campaign
First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

Open Happening

UAT-8099 IIS SEO fraud campaign targeting vulnerable Asia-based IIS servers

Campaign
First: 30.01.2026 14:08 Last: 30.01.2026 14:08 Sources 1

About this happening: **UAT-8099** launched a **late 2025 to early 2026** campaign against **vulnerable IIS servers** across **Asia**, with the strongest concentration in **Thailand and Vietnam**. The...

Open Happening

ArcGIS system / public-facing ArcGIS server hit by data theft breach

Incident
First: 14.10.2025 19:55 Last: 14.10.2025 19:55 Sources 1

How related: Threat actors with ties to China have been attributed to a novel campaign that compromised an ArcGIS system and turned it into a backdoor for more than a year.

About this happening: **ArcGIS server** was **compromised** and turned into a **backdoor** for **more than a year**, exposing the environment to long-term unauthorized access. Attackers used a **portal...

Open Happening

ArcGIS SOE web shell and SoftEther VPN Bridge persistence analysis

Technical Analysis
First: 14.10.2025 15:28 Last: 14.10.2025 15:28 Sources 1

How related: The researchers found the threat actors established year-long access to the organization by modifying ArcGIS' Java server object extension (SOE), which allows users to create service operations for maps and images, and turning the component into a Web shell.

About this happening: **ArcGIS** server extensions were turned into a stealthy web shell, enabling long-lived internal access and persistence beyond the portal. The intrusion matters because the operat...

Open Happening

UNC6148 SonicWall SMA exploitation campaign

Campaign
First: 24.09.2025 16:00 Last: 24.09.2025 16:00 Sources 1

About this happening: The **UNC6148** campaign against **SonicWall SMA** appliances is ongoing and is enabling persistent access on targeted devices. The operation uses **OVERSTEP**, a **persistent bac...

Open Happening

Timeline

  1. 14.10.2025 15:00 3 articles · 7mo ago

    Flax Typhoon ArcGIS web-shell persistence campaign disclosed

    Technical Analysis Update

    ReliaQuest attributed Flax Typhoon to a campaign against a legitimate public-facing ArcGIS application, saying the actors modified the ArcGIS server’s Java server object extension (SOE) to behave as a web shell, compromised an administrator account, invoked REST operations through the public portal, sent a malicious GET request with a base64-encoded payload and hardcoded key, uploaded a renamed SoftEther VPN executable for long-term access, persisted the malicious SOE in the victim’s backups after remediation and patching, and targeted two workstations within the scanned subnet belonging to IT staff.

    Show sources
    Open in new tab