Cybersecurity researchers at ReliaQuest have uncovered a year-long cyber espionage campaign attributed to Flax Typhoon—a Chinese state-sponsored hacking group also known as Ethereal Panda and RedJuliett.

The group allegedly compromised an ArcGIS system by modifying a Java Server Object Extension (SOE) to function as a hidden web shell, granting persistent remote access even through full system recoveries.

The attackers gained control by exploiting a portal administrator account and embedding a hardcoded access key to maintain exclusive control. Once inside, they deployed a renamed SoftEther VPN executable (“bridge.exe”) to create a covert, encrypted channel back to an attacker-controlled server. This allowed the hackers to blend in with normal traffic, extend the victim’s internal network to an external location, and move laterally across systems undetected.

ReliaQuest’s findings underscore the growing trend of adversaries weaponizing legitimate software tools to evade detection and maintain long-term access. By targeting IT workstations and administrative credentials, Flax Typhoon demonstrated both technical sophistication and stealth. The case serves as a warning that trusted system functions can be turned into powerful attack vectors, challenging traditional security monitoring methods.