Find notable cyber news and cases, enriched with sources, timelines, and signals.

Flax Typhoon ArcGIS web-shell persistence campaign

Campaign
First reported
Last updated
Happening score
H score 31
2 unique sources, 2 articles

Summary

Hide ▲

Flax Typhoon is conducting a campaign that abuses a legitimate public-facing ArcGIS application to create persistent backdoor access, raising the risk of lateral movement and credential harvesting. The operation matters because the adversaries turned trusted infrastructure into a covert entry point that can survive ordinary remediation. Their access path used a malicious SOE/web shell chain and a renamed SoftEther VPN tool to blend into internal traffic.

Related Happenings

OpenAI launches Daybreak cybersecurity initiative for AI-powered vulnerability detection and patch validation

Security Tool/Service
H score25 First: 12.05.2026 09:55 Last: 12.05.2026 09:55 Sources 1

About this happening: OpenAI's **Daybreak** launch adds an **AI-powered cybersecurity service** for **vulnerability detection** and **patch validation**, helping organizations fix flaws before attacker...

Storm-1175 high-velocity exploit campaign

Campaign
H score59 First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

UAT-8099 IIS SEO fraud campaign targeting vulnerable Asia-based IIS servers

Campaign
H score32 First: 30.01.2026 14:08 Last: 30.01.2026 14:08 Sources 1

About this happening: **UAT-8099** launched a **late 2025 to early 2026** campaign against **vulnerable IIS servers** across **Asia**, with the strongest concentration in **Thailand and Vietnam**. The...

ArcGIS system / public-facing ArcGIS server hit by data theft breach

Incident
H score28 First: 14.10.2025 19:55 Last: 14.10.2025 19:55 Sources 1

How related: Threat actors with ties to China have been attributed to a novel campaign that compromised an ArcGIS system and turned it into a backdoor for more than a year.

About this happening: **ArcGIS server** was **compromised** and turned into a **backdoor** for **more than a year**, exposing the environment to long-term unauthorized access. Attackers used a **portal...

ArcGIS SOE web shell and SoftEther VPN Bridge persistence analysis

Technical Analysis
H score33 First: 14.10.2025 15:28 Last: 14.10.2025 15:28 Sources 1

How related: The researchers found the threat actors established year-long access to the organization by modifying ArcGIS' Java server object extension (SOE), which allows users to create service operations for maps and images, and turning the component into a Web shell.

About this happening: **ArcGIS** server extensions were turned into a stealthy web shell, enabling long-lived internal access and persistence beyond the portal. The intrusion matters because the operat...

Timeline

  1. 14.10.2025 15:00 3 articles · 8mo ago

    Flax Typhoon ArcGIS web-shell persistence campaign disclosed

    Technical Analysis Update

    ReliaQuest attributed Flax Typhoon to a campaign against a legitimate public-facing ArcGIS application, saying the actors modified the ArcGIS server’s Java server object extension (SOE) to behave as a web shell, compromised an administrator account, invoked REST operations through the public portal, sent a malicious GET request with a base64-encoded payload and hardcoded key, uploaded a renamed SoftEther VPN executable for long-term access, persisted the malicious SOE in the victim’s backups after remediation and patching, and targeted two workstations within the scanned subnet belonging to IT staff.

    Show sources