The Chinese state-sponsored hacking group Flax Typhoon exploited vulnerabilities in the widely used ArcGIS geospatial mapping software to maintain covert access for over a year. By compromising a public-facing ArcGIS server and deploying a malicious server object extension, Flax Typhoon turned trusted software features into a persistent backdoor that survived system recoveries through embedded backups. This allowed them to execute commands stealthily, establish covert VPN channels, and conduct lateral movement within networks. In India, ArcGIS is critical across various sectors including defense, urban planning, infrastructure management, and disaster response, making its compromise a high-value target for espionage. Key Indian users include defense agencies, municipal bodies, utilities, and infrastructure operators—industries vital to national security and economic stability. This attack reveals the sophistication and persistence of Chinese cyber espionage tactics threatening India’s critical infrastructure. It underscores the urgent necessity for enhanced cybersecurity defenses and proactive threat hunting in India’s key sectors to counteract such advanced persistent threats, especially as China-backed groups continue aggressive targeting strategies since 2021 and beyond. The report surfaced in mid-October 2025, sending a stark warning to cybersecurity stakeholders across India.