SOE-phisticated Persistence: Inside Flax Typhoon's ArcGIS Compromise

This report describes a sophisticated, year-long intrusion by a China-linked APT (Flax Typhoon) that converted a trusted ArcGIS Java server object extension into a gated web shell, used a renamed SoftEther VPN executable for persistent VPN-based C2, harvested credentials and performed lateral movement across internal networks; it emphasizes the need to treat public-facing applications as high-risk assets, shift from IOC-based detection to behavioral analytics, and implements remediation and detections alongside MITRE ATT&CK mappings and IOCs.