Security researchers have uncovered how a state-linked espionage group quietly turned a trusted ArcGIS plugin into a remote shell, maintaining access for over a year and even infecting system backups.