Archive: https://archive.today/fg5AV From the post: >>A Chinese state-backed cybergang known as Flax Typhoon spent more than a year burrowing inside an ArcGIS server, quietly turning the trusted mapping software into a covert backdoor. Researchers at ReliaQuest say that the espionage outfit, which Microsoft tracks as a China-based state-sponsored actor, modified a legitimate ArcGIS server object extension (SOE) to act as a web shell, giving them long-term, near-invisible access. By exploiting ArcGIS’ extensibility features while avoiding traditional, signature-based malware, Flax Typhoon embedded itself so deeply that even restoring systems from backups simply reinstalled the implant. ArcGIS is widely used in geospatial analytics, infrastructure planning, environmental monitoring, and more, so compromising it carries a serious risk. What makes this attack elegant, for the attackers at least, is that it used legitimate internal features of the software to hide in plain sight. The SOE component was modified to accept base64-encoded commands passed through REST API parameters, and the attackers secured their access with a hardcoded secret key, ensuring that only they could communicate with it.