HARDPULSE
HARDPULSE is a webshell used in compromises of Pulse Secure (Pulse Connect Secure) VPN appliances. It is identified as compcheckjava.cgi, with reported SHA256 1d3ab04e21cfd40aa8d4300a359a09e3b520d39b1496be1e4bc91ae1f6730ecc. Mandiant/FireEye associated HARDPULSE with UNC2717, which targeted global government agencies between October 2020 and March 2021; reporting also notes UNC2717 activity at a European organization in March 2021. The broader intrusion set targeted government, defense, and financial organizations and involved exploitation of Pulse Secure vulnerabilities including CVE-2021-22893, alongside older flaws such as CVE-2019-11510, CVE-2020-8243, and CVE-2020-8260.
HARDPULSE supports arbitrary file read and write operations and may execute arbitrary commands via DSSafe::psystem, depending on implementation. It responds to HTTP GET and PUT requests. Reported functionality includes a ReadFile command that accepts a base64-encoded, RC4-encrypted filename via the img parameter and returns file contents base64-encoded and RC4-encrypted with Content-Type application/x-download and a Content-Disposition attachment filename of tmp. A WriteFile command accepts a base64-encoded, RC4-encrypted filename via the cert parameter and base64-encoded, RC4-encrypted file data via the md5 parameter and writes the data to disk. An Execute command accepts base64-encoded, RC4-encrypted commands via the name parameter, blocks the cd command by returning Error 404, redirects command output to /tmp/1 using ">/tmp/1 2>&1", and returns the output base64-encoded and RC4-encrypted while masquerading the response as Content-Type image/gif.
Its command-and-control/data handling uses base64 plus RC4. The first six characters of transmitted data are used as a random per-request nonce, which is combined with a static RC4 phrase to form the RC4 key; the static phrase is not sent over the wire. HARDPULSE also contains an embedded recovery URL of the form https://ive-host/dana-na/auth/recover.cgi?token=<varies>. Additional reporting states attacker interaction used parameters including checkcode, hashid, m, and filename.
Within the Pulse Secure exploitation ecosystem, HARDPULSE was deployed alongside QUIETPULSE and PULSEJUMP by UNC2717. High-confidence indicators directly mentioned in the content include the filename/path compcheckjava.cgi, the embedded recover.cgi tokenized URL path, use of HTTP GET/PUT, parameters img, cert, md5, and name for file and command operations, and temporary output redirection to /tmp/1.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"...newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch available yet." ... "Ivanti ... has released temporary mitigations to address the arbitrary file execution vulnerability (CVE-2021-22893, CVSS score: 10)"
UNC2717 targeted global government agencies between October 2020 and March 2021 using HARDPULSE, QUIETPULSE, AND PULSEJUMP.
UNC2717 targeted global government agencies between October 2020 and March 2021 using HARDPULSE, QUIETPULSE, AND PULSEJUMP.
UNC2717 targeted global government agencies between October 2020 and March 2021 using HARDPULSE, QUIETPULSE, AND PULSEJUMP.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"...zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance actively exploited... vulnerability tracked as CVE-2021-22893... exploited in the wild... to hack the networks... and execute arbitrary code remotely on Pulse Connect Secure gateways."
Execution
1 technique"Execute... commands... executed via the system API with output piped to the file /tmp/1"; "compcheckresult.cgi... executes it verbatim... using the system API"; "webshell will execute the passed command on the victim host's command line".
Persistence
2 techniques"They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets."
Privilege Escalation
1 techniqueDefense Impairment
1 techniqueCredential Access
2 techniques"They developed malware that enabled them to harvest Active Directory credentials..."
Command and Control
2 techniquesMultiple modified Pulse Secure CGI/Perl scripts act as webshells (e.g., licenseserverproto.cgi, secid_canceltoken.cgi, compcheckresult.cgi) that parse HTTP parameters/headers and execute attacker-supplied commands, returning output in HTTP responses (sometimes masquerading as GIF/text/html).
"ReadFile... opens it for read... sent back..."; "WriteFile... filename... file data... written"; "HARDPULSE... matched against get and put which will read/write arbitrary files".
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom malware family associated with exploitation of Pulse Secure VPN appliances during intrusions attributed to UNC2717.
Malware used by UNC2717 in PCS-focused intrusions against government agencies to maintain access and enable follow-on credential/data theft.
Backdoored Pulse Secure CGI (compcheckjava.cgi) enabling arbitrary file read/write and potential command execution; includes a recovery-token mechanism and attacker-only URL path not present in legitimate files.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.