Chinese Hackers Go Incognito: Turning ArcGIS into a Spy Gadget for Over a Year!

Chinese state hackers turned the ArcGIS mapping tool into a covert weapon, outsmarting security for over a year. By transforming a server object extension into a sneaky web shell, the attackers, likely the Flax Typhoon group, quietly wreaked havoc. Who knew geography could be so dangerous?

3P
Published: October 14, 2025 12:35 pmAdded: October 14, 2025 at 6:08 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Who knew that the ArcGIS tool, typically used for mapping out cities, could also map out a perfect entry for state-sponsored hackers? Next time someone says they’re going to “map out a plan,” we might need to ask for clarification on whether it involves espionage!

Key Points:

  • Chinese APT group allegedly used ArcGIS to hack into systems undetected for over a year.
  • Attackers used a malicious Java SOE to act as a web shell, accepting base64-encoded commands.
  • Persistent access was maintained by installing SoftEther VPN Bridge as a Windows service.
  • The VPN allowed lateral movement, data exfiltration, and credential dumping within the network.
  • ReliaQuest researchers identified the novel use of ArcGIS SOE for cyber espionage.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?