S1112 STEADYPULSE
STEADYPULSE is a web shell that infects targeted Pulse Secure VPN servers through modification of a legitimate Perl script that was used as early as 2020 including in activity against US Defense Industrial Base (DIB) entities.1
| Item | Value |
|---|---|
| ID | S1112 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 09 February 2024 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | STEADYPULSE can parse web requests made to a targeted server to determine the next stage of execution.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | STEADYPULSE can transmit URL encoded data over C2.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | STEADYPULSE can URL decode key/value pairs sent over C2.1 |
| enterprise | T1105 | Ingress Tool Transfer | STEADYPULSE can add lines to a Perl script on a targeted server to import additional Perl modules.1 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | STEADYPULSE is a web shell that can enable the execution of arbitrary commands on compromised web servers.1 |