S1110 SLIGHTPULSE
SLIGHTPULSE is a web shell that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.1
| Item | Value |
|---|---|
| ID | S1110 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 09 February 2024 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | SLIGHTPULSE has the ability to process HTTP GET requests as a normal web server and to insert logic that will read or write files or execute commands in response to HTTP POST requests.1 |
| enterprise | T1059 | Command and Scripting Interpreter | SLIGHTPULSE contains functionality to execute arbitrary commands passed to it.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | SLIGHTPULSE can base64 encode all incoming and outgoing C2 messages.1 |
| enterprise | T1005 | Data from Local System | SLIGHTPULSE can read files specified on the local system.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | SLIGHTPULSE has piped the output from executed commands to /tmp/1.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | SLIGHTPULSE can deobfuscate base64 encoded and RC4 encrypted C2 messages.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | SLIGHTPULSE can RC4 encrypt all incoming and outgoing C2 messages.1 |
| enterprise | T1105 | Ingress Tool Transfer | RAPIDPULSE can transfer files to and from compromised hosts.2 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | SLIGHTPULSE is a web shell that can read, write, and execute files on compromised servers.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1023 | APT5 | 12 |
References
-
Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024. ↩↩↩↩↩↩↩↩↩↩
-
Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024. ↩↩