Flax Typhoon can turn your own software against you | CyberScoop<\/title> <meta name=\"description\" content=\"Chinese state-backed hackers from the Flax Typhoon group exploited ArcGIS servers by weaponizing built-in extensions, evading detection, and persisting through system backups, revealing critical risks in trusted enterprise mapping software.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/flax-typhoon-hinese-state-hackers-arcgis-backdoor-webshell\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Flax Typhoon can turn your own software against you\"> <meta property=\"og:description\" content=\"Chinese state-backed hackers from the Flax Typhoon group exploited ArcGIS servers by weaponizing built-in extensions, evading detection, and persisting through system backups, revealing critical risks in trusted enterprise mapping software.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/flax-typhoon-hinese-state-hackers-arcgis-backdoor-webshell\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-10-14T12:00:00+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/flax-typhoon-can-turn-your-own-software-against-you-2.jpg\"> <meta property=\"og:image:width\" content=\"4500\"> <meta property=\"og:image:height\" content=\"3000\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1759256725g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1758741382g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/86335\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=86335\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fflax-typhoon-hinese-state-hackers-arcgis-backdoor-webshell%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fflax-typhoon-hinese-state-hackers-arcgis-backdoor-webshell%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-86335 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/flax-typhoon-hinese-state-hackers-arcgis-backdoor-webshell\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.948051948052\">\n<div class=\"single-article__header-content\" readability=\"34.910588235294\">\n<p> The Chinese hacking group gained persistent access to a popular mapping tool by turning one of its features into a webshell and hardcoding access, according to ReliaQuest. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/86335\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/flax-typhoon-can-turn-your-own-software-against-you.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/flax-typhoon-can-turn-your-own-software-against-you-2.jpg 4500w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/flax-typhoon-can-turn-your-own-software-against-you-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/flax-typhoon-can-turn-your-own-software-against-you-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/flax-typhoon-can-turn-your-own-software-against-you-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/flax-typhoon-can-turn-your-own-software-against-you-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/flax-typhoon-can-turn-your-own-software-against-you-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/flax-typhoon-can-turn-your-own-software-against-you-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/flax-typhoon-can-turn-your-own-software-against-you-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/flax-typhoon-can-turn-your-own-software-against-you-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/flax-typhoon-can-turn-your-own-software-against-you-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/flax-typhoon-can-turn-your-own-software-against-you-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> The Chinese hacking group gained persistent access to a popular mapping tool by turning one of its features into a webshell and hardcoding access, according to ReliaQuest. (Image Via Getty) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"47.115561786501\"><body readability=\"94.817469204927\"><\/p>\n<p>By Derek B. Johnson<\/p>\n<p>For more than a year, hackers from a Chinese state-backed espionage group maintained backdoor access to a popular software mapping tool by turning one of its own features into a webshell, according to new research from ReliaQuest.<\/p>\n<p>In a <a href=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-inside-flax-typhoons-arcgis-compromise\">report<\/a> published Tuesday, researchers said that Flax Typhoon \u2014 a group that has been spying on entities in the U.S., Europe and Taiwan since at least 2021 \u2014 has had access for more than a year to a private ArcGIS server. To achieve and maintain that access, the group leveraged \u201can unusually clever attack chain\u201d that allowed them to both blend in with normal traffic and maintain access even if the victim tried to restore their system from backups.<\/p>\n<p>ArcGIS, made by Esri, is one of the most popular software programs for geospatial mapping and used widely by both private organizations and government agencies. Like many programs, however, it relies on backend servers and various other technical infrastructure to fully function.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>For example, many ArcGIS users will use what is known as a Server Object Extension (SOE), which allows you to create service operations to extend the base functionality of map or image services\u201d and implement custom code, <a href=\"https:\/\/enterprise.arcgis.com\/en\/server\/11.5\/develop\/windows\/about-extending-services.htm\">according<\/a> to ArcGIS documentation.<\/p>\n<p>The attackers found a public-facing ArcGIS server connected to another private backend server used by the program to perform computations. They compromised a portal administrator account for the backend server and deployed a malicious extension, instructing the public-facing server to create a hidden directory to serve as the group\u2019s \u201cprivate workspace.\u201d They also locked off access to others with a hardcoded key and maintained access long enough for the flaw to be included in the system\u2019s backup files.<\/p>\n<p>In doing so, the Chinese hackers effectively weaponized ArcGIS, turning it into a webshell to launch further attacks, and mostly did so using the software program\u2019s own internal processes and functionality.<\/p>\n<p>ReliaQuest researchers wrote that by structuring their requests to appear as routine system operations, they were able to evade detection tools, while the hardcoded key \u201cprevented other attackers, or even curious admins, from tampering with its access.\u201d<\/p>\n<p>Infecting the backups, meanwhile, gave Flax Typhoon an insurance plan if their presence ultimately was discovered.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cBy ensuring the compromised component was included in system backups, they turned the organization\u2019s own recovery plan into a guaranteed method of reinfection,\u201d ReliaQuest researchers claimed. \u201cThis tactic turns a safety net into a liability, meaning incident response teams must now treat backups not as failsafe, but as a potential vector for reinfection.\u201d<\/p>\n<p>This continues a consistent trend around Flax Typhoon\u2019s behavior observed by researchers: the group\u2019s propensity for quietly turning an organization\u2019s own tools against itself rather than using sophisticated malware or exploits.<\/p>\n<p>In 2023, Microsoft\u2019s threat intelligence team <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/08\/24\/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations\/\">detailed<\/a> what it described as Flax Typhoon\u2019s \u201cdistinctive\u201d pattern of cyber-enabled espionage. The group was observed achieving long-term access to \u201cdozens\u201d of organizations in Taiwan \u201cwith minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks.\u201d<\/p>\n<p>Earlier this year, the U.S. Treasury Department placed <a href=\"https:\/\/cyberscoop.com\/treasury-sanctions-chinese-company-flax-typhoon\/\">economic sanctions<\/a> on Integrity Technology Group, a Beijing company the agency says has provided technical support and infrastructure for Flax Typhoon cyberattacks, including operating a <a href=\"https:\/\/cyberscoop.com\/fbi-operation-china-botnet-flax-typhoon\/\">massive botnet<\/a> taken down by the FBI last year.<\/p>\n<p>That may be why ReliaQuest researchers emphasized that the true threat revealed by their research isn\u2019t about Esri or any specific vendor or their product. The real worry is that most enterprise software relies on the same kind of third-party applications and extensions that Flax Typhoon exploited to hijack an ArcGIS server. The same vulnerability exists wherever an external tool needs access that can be turned against the user when compromised.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWhen a vendor has to rewrite its own security guidelines, it proves the flawed belief that customers treat every public-facing tool as a high-risk asset,\u201d they wrote. \u201cThis attack is a wake-up call: Any entry point with backend access must be treated as a top-tier priority, no matter how routine or trusted.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.719165085389\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/flax-typhoon-can-turn-your-own-software-against-you-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/flax-typhoon-hinese-state-hackers-arcgis-backdoor-webshell\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Flax Typhoon can turn your own software against you |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[436,271,78,117,256,3688,1813],"tags":[245,277,86,119,262,3690,1814],"class_list":["post-8072","post","type-post","status-publish","format-standard","hentry","category-apt","category-china","category-cybersecurity","category-government","category-research","category-software-security","category-supply-chain","tag-apt","tag-china","tag-cybersecurity","tag-government","tag-research","tag-software-security","tag-supply-chain"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/apt\/\" rel=\"category tag\">apt<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/software-security\/\" rel=\"category tag\">software security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/supply-chain\/\" rel=\"category tag\">supply chain<\/a>","tag_info":"supply chain","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8072"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8072\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8072,"date":"2025-10-14T07:00:00","date_gmt":"2025-10-14T12:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=86335"},"modified":"2025-10-14T07:00:00","modified_gmt":"2025-10-14T12:00:00","slug":"flax-typhoon-can-turn-your-own-software-against-you","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/10\/14\/flax-typhoon-can-turn-your-own-software-against-you\/","title":{"rendered":"Flax Typhoon can turn your own software against you"},"content":{"rendered":"