ATRIUM
ATRIUM is a webshell used on compromised Pulse Secure VPN / Pulse Connect Secure appliances. It is implemented in the legitimate compcheckresult.cgi component and is capable of arbitrary command execution; reporting states it looks for the HTTP query parameter id and executes it verbatim via the system API. Mandiant also described APT5/UNC2630 modifying legitimate Pulse Secure binaries and scripts, including DSUpgrade.pm, to install or reinstall the ATRIUM webshell for persistence, including persistence across software upgrades. ATRIUM was one of the malware families used by UNC2630 in campaigns targeting U.S. Defense Industrial Base companies from at least August 2020 through March 2021, and broader victimology in related reporting included U.S. and European government, defense, financial, transportation, and high-tech organizations. The activity was associated with exploitation of Pulse Secure vulnerabilities, including CVE-2021-22893 as well as older 2019–2020 Pulse Secure flaws. Reporting links UNC2630 to suspected Chinese espionage activity and notes possible ties to APT5. A specific sample/hash cited for ATRIUM is compcheckresult.cgi SHA256 f2b1bd703c3eb05541ff84ec375573cbdc70309ccb82aac04b72db205d718e90.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"...newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch available yet." ... "Ivanti ... has released temporary mitigations to address the arbitrary file execution vulnerability (CVE-2021-22893, CVSS score: 10)"
UNC2630 targeted U.S. DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021.
UNC2630 targeted U.S. DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021.
UNC2630 targeted U.S. DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
APT5 has modified legitimate binaries and scripts for Pulse Secure VPNs including the legitimate DSUpgrade.pm file to install the ATRIUM webshell for persistence.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"...zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance actively exploited... vulnerability tracked as CVE-2021-22893... exploited in the wild... to hack the networks... and execute arbitrary code remotely on Pulse Connect Secure gateways."
Execution
1 technique"Execute... commands... executed via the system API with output piped to the file /tmp/1"; "compcheckresult.cgi... executes it verbatim... using the system API"; "webshell will execute the passed command on the victim host's command line".
Persistence
4 techniquesAPT5 has modified legitimate binaries and scripts for Pulse Secure VPNs including the legitimate DSUpgrade.pm file to install the ATRIUM webshell for persistence.
"They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets."
APT5 has modified legitimate binaries and scripts for Pulse Secure VPNs including the legitimate DSUpgrade.pm file to install the ATRIUM webshell for persistence.
Privilege Escalation
1 techniqueDefense Impairment
1 techniqueCredential Access
2 techniques"They developed malware that enabled them to harvest Active Directory credentials..."
Command and Control
1 techniqueMultiple modified Pulse Secure CGI/Perl scripts act as webshells (e.g., licenseserverproto.cgi, secid_canceltoken.cgi, compcheckresult.cgi) that parse HTTP parameters/headers and execute attacker-supplied commands, returning output in HTTP responses (sometimes masquerading as GIF/text/html).
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Web shell used for persistence on compromised Pulse Secure VPN appliances.
Pulse Secure appliance webshell used for persistent access; also referenced as being re-installed via upgrade-process persistence mechanisms (e.g., DSUpgrade.pm modification) and found near other tooling (e.g., CLEANPULSE).
Custom malware family associated with exploitation of Pulse Secure VPN appliances during intrusions attributed to UNC2630.
Malware used by UNC2630 in PCS gateway compromises to support persistence and credential harvesting operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.