SLIGHTPULSE
SLIGHTPULSE is a web shell used on compromised Pulse Secure VPN appliances. It is associated with UNC2630, which Mandiant/FireEye reported targeting U.S. Defense Industrial Base companies from at least August 2020 through March 2021; reporting also noted suspected ties between UNC2630 and Chinese state-sponsored activity, potentially linked to APT5. SLIGHTPULSE is described as capable of reading, writing, and executing files on compromised servers, and it contains functionality to execute arbitrary commands passed to it. It can base64-encode incoming and outgoing command-and-control messages. Command execution output has been piped to /tmp/1, which serves as a command execution log/staging location. The malware was deployed alongside other Pulse Secure-focused tooling and web shells including SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, and PULSECHECK. Detection references in the content include FE_APT_Webshell_PL_SLIGHTPULSE_1 and “Malicious File Transfer - SLIGHTPULSE, Download, Variant #1.”
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"...newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch available yet." ... "Ivanti ... has released temporary mitigations to address the arbitrary file execution vulnerability (CVE-2021-22893, CVSS score: 10)"
UNC2630 targeted U.S. DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021.
"UNC2630 - SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK"
UNC2630 targeted U.S. DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"UNC2630 - SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK"
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"...zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance actively exploited... vulnerability tracked as CVE-2021-22893... exploited in the wild... to hack the networks... and execute arbitrary code remotely on Pulse Connect Secure gateways."
Execution
2 techniquesAPT19 downloaded and launched code within a SCT file; APT32 used COM scriptlets to download Cobalt Strike beacons; APT37 used Ruby scripts to execute payloads; ArcaneDoor included the adversary executing command line interface (CLI) commands.
Dragonfly has used the command line for execution. Empire uses a command-line interface to interact with systems. StarProxy has used the command line for execution of commands.
Persistence
3 techniques"They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets."
Privilege Escalation
1 techniqueStealth
1 techniqueThe content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Defense Impairment
1 techniqueCredential Access
2 techniques"They developed malware that enabled them to harvest Active Directory credentials..."
Collection
3 techniquesThe content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
Command and Control
5 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
"ReadFile... opens it for read... sent back..."; "WriteFile... filename... file data... written"; "HARDPULSE... matched against get and put which will read/write arbitrary files".
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Pulse Secure appliance webshell used to maintain access; additionally referenced as being hidden from integrity checks by actor persistence logic.
Custom malware family associated with exploitation of Pulse Secure VPN appliances during intrusions attributed to UNC2630.
Malware used by UNC2630 in PCS intrusions; associated tradecraft includes persistence across updates/resets and credential harvesting.
Webshell embedded into meeting_testjs.cgi supporting arbitrary file read/write and command execution; uses base64 + RC4 for request/response data and writes command output to /tmp/1.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.