Hunting off the Red Banner

Flax Typhoon: ArcGIS SOE Web Shell and Long-Term Persistence


Unlike fast, noisy ransomware that quickly reveals its presence, this campaign established a quiet foothold by converting trusted ArcGIS software components into a persistent web shell. The adversary gained portal administrator access, repurposed a Java Server Object Extension (SOE) into a gated web shell, and embedded that component into backups to survive remediation.


Think of it like a classic heist movie where the thieves don't break in through the front door but rather they convince security they belong there by wearing the right uniform. Flax Typhoon wore the uniform of legitimate ArcGIS processes, making their malicious activity appear as routine geographic data operations. They even embedded their backdoor in system backups, ensuring that the organization's own disaster recovery plan would restore their access after any remediation effort.


Organizations relying on ArcGIS face significant exposure, particularly those in critical infrastructure sectors including utilities, emergency management, urban planning, and disaster recovery operations. ArcGIS systems frequently maintain privileged network access to interconnected enterprise and operational technology environments, providing adversaries with ideal pivot points for lateral movement. When compromised, these systems expose sensitive infrastructure mapping data, network architecture details, and authenticated pathways to connected systems. Financial consequences include extended incident response costs spanning over twelve months of persistent access, regulatory penalties for infrastructure data exposure, operational disruption to critical planning functions, and potential legal liability if compromised data enables subsequent physical infrastructure attacks.


If left unaddressed, the adversary’s presence will continue to enable stealthy access, reinfection via backups, and targeted lateral activity that can persist across standard incident response cycles. Recovery efforts that do not address embedded compromised software components risk repeated reinfection.


Organizations should treat public-facing, backend-capable applications as high-risk assets, prioritize hunting for abnormal behavior in trusted components, validate backups before restore, and instrument both application-layer and host telemetry to detect web-shell usage and renamed binaries. Where internal capabilities are immature, engaging experienced hunting resources is a proportional and practical next step.


Hunting Controls & Observations

Defensive teams should pivot from IOC-chasing to behavior-based observability across application, endpoint, identity, and network telemetry. The following telemetry areas are essential to detect the class of activity described:


  • Endpoint (EDR/AV): Monitor process creation for renamed or unexpected binaries in trusted paths (for example, processes executing from C:\Windows\System32\bridge.exe) and capture parent-child process relationships and command-line arguments. Sysmon/EDR visibility of process hashes, image paths, and service installers is critical.
  • Identity/IAM: Detect anomalous administrative portal logins (especially portal administrator accounts), unusual session times, and creation of new high-privilege service accounts. Correlate with privileged access management logs and MFA failures or bypass events.
  • Email Security & Proxy Logs: While not the primary vector in this incident, proxy and web gateway logs can show suspicious outbound SSL connections and domain registration patterns tied to C2 infrastructure (for example, repeated softether[.]net subdomains).
  • Firewall / NetFlow: Track new or persistent outbound connections to unusual remote IPs or to non-standard domains over port 443 where the process initiating the flow is unexpected for that asset class.
  • Cloud Audit Logs: Monitor vendor-managed platform changes, unusual configuration updates, and any activity that modifies backup/export pipelines which could lead to embedded malicious objects being preserved.
  • Windows Security Log: Instrument Windows service-install and service-start events (EventID 7045), process creation events (Sysmon EventID 1 if available), and authentication events (4624/4625/4672) to correlate privilege use and persistence mechanisms.
  • Application Logs: Capture ArcGIS portal request logs and any application-layer parameters (for example, GET/POST requests referencing JavaSimpleRESTSOE operations and a “layer” parameter containing base64 payloads).

Behavioral indicators of the attack included the following observations:

  • HTTP GET requests to ArcGIS portal endpoints containing a “layer” parameter with base64-encoded payloads and a static/hardcoded access key parameter used to gate web-shell execution.
  • Java process (or ArcGIS-hosted JVM) executing encoded commands that decode to system commands (for example, executing cmd.exe /c mkdir C:\Windows\System32\Bridge).
  • Creation of a hidden directory (C:\Windows\System32\Bridge) and staged files placed inside trusted system locations.
  • Renamed SoftEther VPN executable placed in System32 and installed as a Windows service (e.g., “SysBridge”), repeatedly started until configured to persist across reboots.
  • Outbound HTTPS connections from the renamed binary to attacker-controlled SoftEther VPN servers (example remote IP 172.86.113[.]142) and recurring domain patterns like 0X.softether.net indicating rotating registration strategy.
  • Discovery and scanning activity across SSH, SMB, RPC, and other internal services following initial access, indicating network mapping and lateral-movement preparation.

MITRE Enterprise ATT&CK Tactics and Techniques

The attacker behavior aligns with several MITRE ATT&CK tactics. The mappings below are best-effort with confidence notes where appropriate.


  • Initial Access (T1078 – Valid Accounts): Portal administrator account compromise was used to deploy the malicious SOE.
  • Initial Access (T1190 – Exploit Public-Facing Application): Adversaries targeted the public-facing ArcGIS portal server which maintained trusted communication channels to internal ArcGIS infrastructure
  • Execution (T1059 – Command and Scripting Interpreter): Base64-encoded payloads were decoded and executed (cmd.exe and PowerShell executed via the web shell).
  • Persistence (T1543 – Create or Modify System Process / Windows Service): SoftEther binary was renamed and installed as a service to persist across reboots.
  • Persistence (T1505 – Server Software Component / Web Shell): Legitimate ArcGIS SOE was repurposed into a gated web shell.
  • Defense Evasion (T1036 – Masquerading: Match Legitimate Name or Location): The threat actor renamed the VPN client executable to bridge.exe and placed it in the Windows System32 directory
  • Defense Evasion (T1564 – Hide Artifacts: Hidden Files and Directories): The adversary created concealed directories within system paths and used naming conventions designed to appear as system components
  • Discovery (T1046 – Network Service Scanning): Internal scanning across SMB, SSH, RPC observed after gaining a foothold.
  • Command and Control (T1071 – Application Layer Protocol): VPN/tunnel-style C2 established using SoftEther over HTTPS.
  • Credential Access (T1003 – Credential Dumping / Harvesting): Activity consistent with credential harvesting from the environment to expand access.

Controls & Hunting Indicators

Below are practical places to observe the techniques used and control recommendations defenders should prioritize when hunting for similar compromises.


Endpoint Controls

  • Ensure EDR/endpoint telemetry collects full command-line and parent process context. Query for processes originating from System32 with non-standard names (for example, '*bridge.exe*') and validate digital signatures and file hashes. Enable Sysmon and forward Event ID 1 (process create) and Event ID 11 (file created) to central logging.
  • Monitor for service install events (Windows Event ID 7045) and alert on service image paths located in atypical directories or pointing to renamed third-party executables.

Network Controls

  • Collect DeviceNetworkEvents/NetFlow and inspect persistent outbound HTTPS connections initiated by server-class hosts. Flag long-lived or recurrent connections to low-reputation IPs or domains, particularly those with rotating subdomain patterns (e.g., *softether[.]net).
  • Use IDS/IPS and SSL/TLS inspection where policy permits to detect SoftEther handshake patterns or tunneling behavior.

Identity & Access Controls

  • Alert on unusual portal-admin logins, new administrative credentials, or changes to administrative groups. Correlate with Event IDs 4624 (successful logon), 4625 (failed logon), and 4672 (special privileges assigned).
  • Enforce MFA for administrative portal access and restrict administrative operations to specific jump hosts or bastion servers with strict monitoring.

Cloud & SaaS

  • Review ArcGIS-specific audit logs and vendor-supplied telemetry for modifications to SOE or plugin configuration. Treat vendor-supplied documentation updates as indicators of changed threat models and revise internal hardening guides accordingly.
  • Validate backup contents and build scanning into restore pipelines to detect embedded malicious components before a full restore is performed.

Application & Service Logs

  • Capture web server access logs (IIS/nginx/ArcGIS portal logs) and parse query parameters for base64 strings in parameters like "layer" or operations referencing "JavaSimpleRESTSOE". Monitor for static keys or tokens appended to requests.
  • Instrument application-level logging to record abnormal operations and include integrity checks for server-side extensions and plugins.

Known Indicators of Compromise

The following IOCs have been identified from the intelligence to be used for threat hunting:

  • File Hashes:
    4f9d9a6cba88832fcb7cfb845472b63ff15cb9b417f4f02cb8086552c19ceffc (bridge.exe - renamed SoftEther VPN)
    8282c5a177790422769b58b60704957286edb63a53a49a8f95cfa1accf53c861 (vpn_bridge.config)
    84959fe39d655a9426b58b4d8c5ec1e038af932461ca85916d7adeed299de1b3 (hamcore.se2 - SoftEther installation file)
    cec625f70d2816c85b1c6b3b449e4a84a5da432b75a99e9efa9acd6b9870b336 (simplerestsoe.soe - malicious SOE)
  • IP Addresses:
    172.86[.]117[.]230 (C2 infrastructure hosting SoftEther VPN Server)
  • Domains:
    Patterns observed include incrementally numbered subdomains registered at softether.net following the format: [victim-identifier]01.softether[.]net through [victim-identifier]05.softether[.]net
  • File Paths:
    C:\Windows\System32\Bridge\ (attacker-created staging directory)
    C:\Windows\System32\bridge.exe (renamed VPN executable)
    C:\Windows\System32\vpn_bridge.config (VPN configuration file)
    C:\Windows\System32\hamcore.se2 (VPN installation component)
  • Service Names:
    SysBridge (malicious Windows service configured for automatic startup)
  • Registry Keys:
    HKLM\System\CurrentControlSet\Services\SysBridge (persistence service registration)
  • Suspicious File Artifacts:
    pass.txt.lnk (credential harvesting wordlist shortcut file)

Threat Hunting Queries

The following queries translate the behavioral indicators into actionable hunts. Each query includes expected results and tuning guidance. KQL examples reference common Microsoft Sentinel tables; validate table availability in your workspace and adjust table names accordingly.


Query 1: ArcGIS SOE web-shell request with base64 payload

  • Behavior Targeted: HTTP requests to ArcGIS portal endpoints containing base64-encoded payloads and a static key parameter that gates web-shell execution.
  • MITRE ATT&CK: T1505 (Server Software Component), T1059 (Command and Scripting Interpreter)
  • Expected Results: Web requests to ArcGIS endpoints with query parameters containing long base64 strings or the string "getLayerCountByType" and an unusual static key. Investigate user-agent, source IP, and associated account activity.
  • False Positive Likelihood: Medium – some legitimate API usage may include encoded data; tune by whitelisting known application integration sources and normal parameter lengths.

Splunk (SPL)

// Search application/web access logs for ArcGIS requests with suspicious base64 'layer' param
// Tune: restrict to public-facing ArcGIS hosts and time window (last 30 days)
index=web host="arcgis-portal-*" cs_uri_stem="/arcgis/*" cs_uri_query="*layer=*"
| rex field=cs_uri_query "layer=(?[^&]+)"
| where len(layer_param) > 100 OR layer_param like "%=%"  // long encoded strings
| table _time, clientip, cs_method, cs_uri_stem, cs_uri_query, user, user_agent

Microsoft Defender / Sentinel (KQL)

// Search CommonSecurityLog or AppServiceHttpLogs for ArcGIS requests containing base64-like 'layer' parameter
// Data Tables: CommonSecurityLog, AppServiceHttpLogs, IISLogs
// Tuning: scope to known ArcGIS hostnames and exclude legitimate integration endpoints
CommonSecurityLog
| where DeviceVendor =~ "ArcGIS" or cs_host contains "arcgis"
| where cs_uri_query contains "layer="
| extend layer_param = extract(@"layer=([^&]+)", 1, cs_uri_query)
| where strlen(layer_param) > 100 or layer_param matches regex @"^[A-Za-z0-9+/=]{80,}$"
| project TimeGenerated, DeviceExternalId, src_ip = src_ip_s, cs_method, cs_uri_stem, cs_uri_query, user = cs_user_s, user_agent = cs_user_agent_s

Query 2: Service installation pointing to renamed SoftEther binary

  • Behavior Targeted: New Windows service installs whose image path points to unexpected binaries in System32 (for example, bridge.exe).
  • MITRE ATT&CK: T1543 (Create or Modify System Process)
  • Expected Results: Service install events with ImagePath containing suspicious filenames or unsigned binaries; investigate associated process creation and file write events.
  • False Positive Likelihood: Low–Medium. Some legitimate installers create services; tune by whitelisting known installers and validated vendor signatures.

Splunk (SPL)

// Search for Windows service install events (EventID 7045) pointing to System32\*.exe
index=wineventlog sourcetype="WinEventLog:Security" EventCode=7045
| rex field=Message "Image\\sPath:\\s(?\\S+)"
| where image_path like "%\\System32\\%\\bridge.exe" OR image_path like "%\\System32\\%\\%softether%.exe"
| table _time, host, user, image_path, Message

Microsoft Defender / Sentinel (KQL)

// Data Tables: SecurityEvent (Windows Event 7045), DeviceProcessEvents
SecurityEvent
| where EventID == 7045
| extend image_path = tostring(parse_xml(EventData).Data[?(@.Name=='ImagePath')].Value) 
| where image_path contains "\\System32\\" and (image_path contains "bridge.exe" or image_path contains "softether")
| project TimeGenerated, Computer, Account, image_path, RenderedDescription

Query 3: Outbound HTTPS flows from renamed VPN binary (bridge.exe)

  • Behavior Targeted: Process-initiated outbound TLS/HTTPS connections from server hosts where the initiating process is a renamed VPN binary or unexpected for that host role.
  • MITRE ATT&CK: T1071 (Application Layer Protocol)
  • Expected Results: Identify long-lived or recurrent outbound connections to low-reputation IPs/domains on port 443 where InitiatingProcessFileName contains "bridge.exe" or similar.
  • False Positive Likelihood: Medium. Some servers legitimately make outbound HTTPS calls; tune by excluding known update servers and enumerating baseline domains.

Splunk (SPL)

// Network logs where process information is available
index=network ("bridge.exe" OR "softether") dest_port=443
| stats count by src_ip, dest_ip, dest_port, process_name, process_path
| where count > 5

Microsoft Defender / Sentinel (KQL)

// Data Tables: DeviceNetworkEvents
DeviceNetworkEvents
| where InitiatingProcessFileName contains "bridge.exe" or InitiatingProcessFileName contains "softether"
| where RemotePort == 443
| summarize cnt = count(), firstSeen = min(TimeGenerated), lastSeen = max(TimeGenerated) by DeviceName, RemoteIP, RemoteUrl
| where cnt > 3
| project firstSeen, lastSeen, DeviceName, InitiatingProcessFileName, RemoteIP, RemoteUrl, cnt

Query 4: Java process executing base64-decoded OS commands

  • Behavior Targeted: JVM/Java process (ArcGIS) spawning cmd.exe or PowerShell with decoded payloads or known command patterns like creating C:\Windows\System32\Bridge.
  • MITRE ATT&CK: T1059 (Command and Scripting Interpreter)
  • Expected Results: ArcGIS-hosted Java process with command-line showing decoded commands or parent-child relationships indicating web-shell-driven execution.
  • False Positive Likelihood: Medium — some admin scripts may call system commands. Tune by restricting to production portal hosts and known integration accounts.

Splunk (SPL)

// Look for process creations where parent is java and child is cmd.exe or powershell with suspicious args
index=edr(ProcessCreate) (ParentImage="*java.exe" AND (Image="*\\cmd.exe" OR Image="*\\powershell.exe"))
| rex field=CommandLine "(?.*)"
| where cmdline like "%mkdir%Bridge%" OR cmdline like "%getlayercountbytype%" 
| table _time, host, ParentImage, Image, CommandLine, User

Microsoft Defender / Sentinel (KQL)

// Data Tables: DeviceProcessEvents
DeviceProcessEvents
| where InitiatingProcessFileName == "java.exe" and (FileName == "cmd.exe" or FileName == "powershell.exe")
| where ProcessCommandLine contains "mkdir" and ProcessCommandLine contains "System32\\Bridge" or ProcessCommandLine contains "getLayerCountByType"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessAccountName

Tuning suggestions: run these queries on a rolling 30–90 day window initially, then expand the window if historical data is available. Maintain allowlists for known legitimate integrations and include thresholds to reduce noise. For large environments, restrict queries to portal/management hosts first to reduce load.


Source and Credits

This summary is based on ReliaQuest Threat Research's article "SOE-phisticated Persistence: Inside Flax Typhoon's ArcGIS Compromise" published on October 14, 2025. The original report was authored by Alexa Feminella and James Xiang and includes detailed technical analysis and figures that informed the behavioral mappings and hunting queries provided here.