{ "id": "3e4ce5b2-4b2d-4a1c-970f-0ca4c051b33e", "created_at": "2026-04-06T00:12:20.872762Z", "updated_at": "2026-04-10T03:35:44.233989Z", "deleted_at": null, "sha1_hash": "ee13cb5ded1db298f85974f5e42bb9150f751a9b", "title": "Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 240244, "plain_text": "Re-Checking Your Pulse: Updates on Chinese APT Actors\r\nCompromising Pulse Secure VPN Devices | Mandiant\r\nBy Mandiant\r\nPublished: 2021-05-27 · Archived: 2026-04-05 14:20:15 UTC\r\nWritten by: Dan Perez, Sarah Jones, Greg Wood, Stephen Eckels, Emiel Haeghebaert\r\nOn April 20, 2021, Mandiant published detailed results of our investigations into compromised Pulse Secure\r\ndevices by suspected Chinese espionage operators. This blog post is intended to provide an update on our\r\nfindings, give additional recommendations to network defenders, and discuss potential implications for U.S.-\r\nChina strategic relations.\r\nMandiant continues to gather evidence and respond to intrusions involving compromises of Pulse Secure\r\nVPN appliances at organizations across the defense, government, high tech, transportation, and financial\r\nsectors in the U.S. and Europe (Figure 1).\r\nReverse engineers on the FLARE team have identified four additional code families specifically designed\r\nto manipulate Pulse Secure devices.\r\nWe now assess that espionage activity by UNC2630 and UNC2717 supports key Chinese government\r\npriorities. Many compromised organizations operate in verticals and industries aligned with Beijing’s\r\nstrategic objectives outlined in China’s recent 14th Five Year Plan.\r\nWhile there is evidence of data theft at many organizations, we have not directly observed the staging or\r\nexfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi\r\nagreement.\r\nMandiant Threat Intelligence assesses that Chinese cyber espionage activity has demonstrated a higher\r\ntolerance for risk and is less constrained by diplomatic pressures than previously characterized.\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html\r\nPage 1 of 13\n\nFigure 1: Organizations with compromised Pulse Secure devices by vertical and geographic location\r\nPulse Secure continues to work closely with Mandiant, affected customers, government partners, and other\r\nforensic experts to address these issues. Pulse Secure’s parent company, Ivanti, has released patches to proactively\r\naddress software vulnerabilities and issued updated Security Advisories and Knowledge Articles to assist\r\ncustomers. (Please see the Forensics, Remediation, and Hardening Guidelines section for additional details.)\r\nUNC2630 and UNC2717 Tradecraft and Response to Disclosure\r\nMandiant is tracking 16 malware families exclusively designed to infect Pulse Secure VPN appliances and used\r\nby several cyber espionage groups which we believe are affiliated with the Chinese government. Between April 17\r\nand April 20, 2021, Mandiant incident responders observed UNC2630 access dozens of compromised devices and\r\nremove webshells like ATRIUM and SLIGHTPULSE.\r\nUnder certain conditions, the Integrity Checker Tool (ICT) will show no evidence of compromise on\r\nappliances which may have had historical compromise. This false negative may be returned because the\r\nICT cannot scan the rollback partition. If a backdoor or persistence patcher exists on the rollback partition\r\nand a Pulse Secure appliance is rolled back to the prior version, the backdoor(s) will be present on the\r\nappliance. Please see the Forensics, Remediation, and Hardening Guidelines section for important\r\ninformation regarding the ICT and upgrade process.\r\nIn at least one instance, UNC2630 deleted their webshell(s) but did not remove the persistence patcher,\r\nmaking it possible to regain access when the device was upgraded. The remaining persistence patcher\r\ncauses the malicious code to be executed later during a system upgrade, re-inserts webshell logic into\r\nvarious files on the appliance, and recompromises the device.\r\nIt is unusual for Chinese espionage actors to remove a large number of backdoors across several victim\r\nenvironments on or around the time of public disclosure. This action displays an interesting concern for\r\noperational security and a sensitivity to publicity.\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html\r\nPage 2 of 13\n\nBoth UNC2630 and UNC2717 display advanced tradecraft and go to impressive lengths to avoid detection. The\r\nactors modify file timestamps and regularly edit or delete forensic evidence such as logs, web server core dumps,\r\nand files staged for exfiltration. They also demonstrate a deep understanding of network appliances and advanced\r\nknowledge of a targeted network. This tradecraft can make it difficult for network defenders to establish a\r\ncomplete list of tools used, credentials stolen, the initial intrusion vector, or the intrusion start date.\r\nUpdates from Incident Response Investigations\r\nWe continue to suspect that multiple groups including UNC2630 and UNC2717 are responsible for this activity,\r\ndespite the use of similar exploits and tools. There is a high degree of variation in attacker actions within victim\r\nenvironments, with actors inconsistently using a combination of tools and command and control IP addresses.\r\nReverse engineers on the FLARE team have identified four additional malware families specifically designed to\r\nmanipulate Pulse Secure devices (Table 1). These utilities have similar functions to the 12 previously documented\r\nmalware families: harvesting credentials and sensitive system data, allowing arbitrary file execution, and\r\nremoving forensic evidence. Please see the Technical Annex for detailed analysis of these code families.\r\nMalware\r\nFamily\r\nDescription Actor\r\nBLOODMINE\r\nBLOODMINE is a utility for parsing Pulse Secure Connect log files. It\r\nextracts information related to logins, Message IDs and Web Requests and\r\ncopies the relevant data to another file.\r\nUNC2630\r\nBLOODBANK\r\nBLOODBANK is a credential theft utility that parses two files containing\r\npassword hashes or plaintext passwords and expects an output file to be\r\ngiven at the command prompt.\r\nUNC2630\r\nCLEANPULSE\r\nCLEANPULSE is a memory patching utility that may be used to prevent\r\ncertain log events from occurring. It was found in close proximity to an\r\nATRIUM webshell.\r\nUNC2630\r\nRAPIDPULSE\r\nRAPIDPULSE is a webshell capable of arbitrary file read. As is common\r\nwith other webshells, RAPIDPULSE exists as a modification to a legitimate\r\nPulse Secure file. RAPIDPULSE can serve as an encrypted file downloader\r\nfor the attacker.\r\nUNC2630\r\nTable 1: New malware families identified\r\nInitial Compromise\r\nThe actors leveraged several vulnerabilities in Pulse Secure VPN appliances. Mandiant observed the use of the\r\nrecently patched vulnerability CVE-2021-22893 to compromise fully patched Pulse Secure appliances as well as\r\npreviously disclosed vulnerabilities from 2019 and 2020. In many cases, determining the initial exploitation vector\r\nand timeframe was not possible to determine because the actors altered or deleted forensic evidence, or the\r\nappliance had undergone subsequent code upgrades thereby destroying evidence related to the initial exploitation.\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html\r\nPage 3 of 13\n\nEstablish Foothold\r\nIn some cases, Mandiant observed the actors create their own Local Administrator account outside of established\r\ncredential management controls on Windows servers of strategic value. This allowed the actor to maintain access\r\nto systems with short-cycle credential rotation policies and provided a sufficient level of access to operate freely\r\nwithin their target environment. The actors also maintained their foothold into the targeted environments\r\nexclusively through Pulse Secure webshells and malware without relying on backdoors deployed on internal\r\nWindows or Linux endpoints.\r\nEscalate Privileges\r\nMandiant observed the actors use three credential harvesting techniques on Windows systems:\r\nTargeting of clear text passwords and hashes from memory using the credential harvesting tool Mimikatz.\r\nInstead of being copied locally and executed on the target system, Mandiant saw evidence of the Mimikatz\r\nbinary on the source system of an RDP session (i.e. the threat actor’s system that was connected to the\r\nVPN) through an RDP mapped drive.\r\nCopying and exfiltration of the SAM, SECURITY, and SYSTEM registry hives which contained cached\r\nNTLM hashes for Local and Domain accounts.\r\nLeveraging the Windows Task Manager process to target the Local Security Authority Subsystem Service\r\n(LSASS) process memory for NTLM hashes.\r\nIn addition to these privilege escalation techniques, the actors specifically targeted separate privileged accounts\r\nbelonging to individuals whose unprivileged accounts were previously compromised (likely through the Pulse\r\nSecure credential harvesting malware families). It is unclear how the account associations were made by the actor.\r\nInternal Reconnaissance\r\nMandiant found evidence that the actors renamed their own workstations that they connected to the VPN of victim\r\nnetworks to mimic the naming convention of their target environment. This practice aligns with the actor’s\r\nobjective for long-term persistence and evading detection and demonstrates a familiarity with the internal\r\nhostnames in the victim environment.\r\nThe actors operated solely by utilizing Windows-based utilities to carry out tasks. Some of the utilities observed\r\nwere net.exe, quser.exe, powershell.exe, powershell_ise.exe, findstr.exe, netstat.exe, cmd.exe, reg.exe and\r\ntasklist.exe.\r\nMove Laterally\r\nMost lateral movement originated from compromised Pulse Secure VPN appliances to internal systems within the\r\nenvironment. While connected to the Pulse VPN appliance, the actor’s system was assigned an IP address from the\r\nPulse VPN DHCP pool and they moved laterally throughout the environments by leveraging the Remote Desktop\r\nProtocol (RDP), the Secure Shell Protocol (SSH), and browser-based communication to HTTPS hosted resources.\r\nThe actors also accessed other resources such as Microsoft M365 cloud environments using stolen credentials they\r\nhad previously acquired.\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html\r\nPage 4 of 13\n\nMandiant also observed the actors targeting ESXi host servers. The actor enabled SSH on ESXi hosts that were\r\npreviously disabled via the web interface. When their operations on the system were finished, the actors disabled\r\nSSH on the ESXi host again and cleared or preemptively disabled all relevant logging associated with the\r\nperformed activities. This includes authentication, command history, and message logging on the system.\r\nMaintain Presence\r\nMandiant observed the threat actor maintain persistence by compromising the upgrade process on the Pulse\r\nSecure Appliance. Persistence was primarily achieved by modifying the legitimate DSUpgrade.pm file to install\r\nthe ATRIUM webshell across each upgrade performed by an administrator. The actor likely chose DSUpgade.pm\r\nto host their patch logic as it is a core file in the system upgrade procedure, ensuring the patch is applied during\r\nupdates. The patcher modifies content in /tmp/data as this directory holds the extracted upgrade image the newly\r\nupgraded system will boot into. This results in a persistence mechanism which allows the actor to maintain access\r\nto the system across updates.\r\nThe actors also achieved persistence in other cases by prepending a bash script to the file /bin/umount normally\r\nused to unmount a Linux filesystem. This binary was targeted by the actor because it is executed by the Pulse\r\nSecure appliance during a system upgrade. The actor’s script verifies that the umount binary executes with a\r\nspecific set of arguments, which are identical to the arguments used by the Pulse Secure appliance to executes the\r\nbinary. The inserted malicious bash script remounts the filesystem as read-write and iterates through a series of\r\nbash routines to inject the ATRIUM webshell, hide SLOWPULSE from a legacy file integrity bash script, remove\r\nor add itself from the umount file, and validate the web process was running after a reboot to return the filesystem\r\nback to read-only.\r\nComplete Mission\r\nThe threat actor’s objectives appear to be stealing credentials, maintaining long-term persistent access to victim\r\nnetworks, and accessing or exfiltrating sensitive data. Mandiant has observed the attackers:\r\nStaging data related to sensitive projects, often in C:\\Users\\Public\r\nNaming exfiltration archives to resemble Windows Updates (KB) or to match the format KB.zip\r\nUsing the JAR/ZIP file format for data exfiltration\r\nDeleting exfiltrated archives\r\nAnalysis of new malware families is included in the Technical Annex to enable defenders to quickly assess if their\r\nrespective appliances have been affected. Relevant MITRE ATT\u0026CK techniques, Yara rules and hashes are\r\npublished on Mandiant’s GitHub page.\r\nForensics, Remediation, and Hardening Guidelines\r\nTo begin an investigation, Pulse Secure users should contact their Customer Support Representative for assistance\r\ncompleting the following steps:\r\n1. Capture memory and a forensic image of the appliance\r\n2. Run the Pulse Integrity Checker Tool found online\r\n3. Request a decrypted image of each partition and a memory dump\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html\r\nPage 5 of 13\n\nTo remediate a compromised Pulse Secure appliance:\r\n1. Caution must be taken when determining if a Pulse Secure device was compromised at any previous date.\r\nIf the Integrity Checker Tool (ICT) was not run before the appliance was updated, the only evidence of\r\ncompromise will exist in the system rollback partition which cannot be scanned by the ICT. If an upgrade\r\nwas performed without first using the ICT, a manual inspection of the rollback partition is required to\r\ndetermine if the device was previously compromised.\r\n2. To ensure that no malicious logic is copied to a clean device, users must perform upgrades from the\r\nappliance console rather than the web interface. The console upgrade process follows a separate code path\r\nthat will not execute files such as DSUpgrade.pm.\r\n3. Previous versions of the ICT will exit if run on an unsupported software version. For every ICT scan,\r\nensure that the ICT would have supported the device's version number.\r\n4. Reset all passwords in the environment.\r\n5. Upgrade to the most recent software version.\r\nTo secure the appliance and assist with future investigations, consider implementing the following:\r\n1. Enable unauthenticated logging and configure syslog for Events, User \u0026 Admin Access\r\n2. Forward all logs to a central log repository\r\n3. Review logs for unusual authentications and evidence of exploitation\r\n4. Regularly run the Integrity Checker Tool\r\n5. Apply patches as soon as they are made available\r\nGeopolitical Context and Implications for U.S.-China Relations\r\nIn collaboration with intelligence analysts at BAE Systems Applied Intelligence, Mandiant has identified dozens\r\nof organizations across the defense, government, telecommunications, high tech, education, transportation, and\r\nfinancial sectors in the U.S. and Europe that have been compromised via vulnerabilities in Pulse Secure VPNs.\r\nHistoric Mandiant and BAE investigations identified a significant number of these organizations as previous\r\nAPT5 targets.\r\nNotably, compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives\r\nas outlined in China’s 14th Five Year Plan. Many manufacturers also compete with Chinese businesses in the high\r\ntech, green energy, and telecommunications sectors. Despite this, we have not directly observed the staging or\r\nexfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi\r\nagreement.\r\nTargets of Chinese cyber espionage operations are often selected for their alignment with national strategic goals,\r\nand there is a strong correlation between pillar industries listed in policy white papers and targets of Chinese cyber\r\nespionage activity.\r\nChina has outlined eight key areas of vital economic interest for development and production which it views as\r\nessential to maintaining global competitiveness, under the following categories: energy, healthcare, railway\r\ntransportation, telecommunications, national defense and stability, advanced manufacturing, network power, and\r\nsports and culture.\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html\r\nPage 6 of 13\n\nHistorical Context\r\nIn the Red Line Drawn report, Mandiant documented a significant decline in the volume of Chinese\r\ncyberespionage activity in 2014 and assessed that the restructuring of China's military and civilian intelligence\r\nagencies significantly impacted Chinese cyber operations. Then, in September 2015, President Xi of China\r\nconcluded a bilateral agreement with U.S. President Obama to prohibit state-sponsored theft of intellectual\r\nproperty for the purpose of providing commercial advantage. Commercial IP theft has historically been a\r\nprominent characteristic of Chinese cyber espionage activity.\r\nIn 2018 we conducted an extensive review of Chinese cyber espionage operations, both before and after the\r\nofficial announcement of the PLA reforms and bilateral agreement to determine if there were any corresponding\r\nchanges in the tactics, techniques, and procedures (TTPs) used during Chinese cyberespionage operations. We\r\nobserved two important changes in the type of information stolen and the geographic distribution of the targets.\r\nDespite examining hundreds of incidents from January 2016 through mid 2019, we did not find definitive\r\nevidence of purely commercial application intellectual property theft in the US. Recent indictments by the\r\nUS Department of Justice suggest that this theft did occur. While we observed other malicious activity,\r\nincluding geopolitical targeting, theft of intellectual property with military applications, and theft of\r\nconfidential business information, we did not find evidence that these cyber operations violated the\r\nObama-Xi agreement.\r\nBetween January 2016 and mid-2019, the geographic focus of Chinese cyber operations shifted\r\ndramatically to Asia and away from the U.S. and Europe. While the U.S. remained the single most\r\nfrequently targeted country, it became a much smaller percentage of observed activity. From 2012–2015,\r\nU.S. targeting constituted nearly 70 percent of all observed Chinese cyber espionage, while from January\r\n2016 through August 2019, U.S. targeting fell to approximately 20 percent of Chinese activity. Targeting of\r\nEurope represented a similar proportion of overall Chinese activity to targeting of the Americas.\r\nChanges in Chinese Espionage Activity between 2019 and 2021\r\nBased on developments observed between 2019-2021, Mandiant Threat Intelligence assesses that most Chinese\r\nAPT actors now concentrate on lower-volume but more-sophisticated, stealthier operations collecting strategic\r\nintelligence to support Chinese strategic political, military, and economic goals. While some of the technical\r\nchanges may be the result of the restructuring of China's military and civilian organizations, some changes\r\npossibly reflect larger technical trends in cyber operations overall.\r\nBefore the reorganization, it was common to observe multiple Chinese espionage groups targeting the same\r\norganization, often targeting the same types of information. Post-2015, this duplication of efforts is rare.\r\nChinese espionage groups developed more efficient and purposeful targeting patterns by transitioning away\r\nfrom spearphishing and relying on end user software vulnerabilities and instead began exploiting\r\nnetworking devices and web facing applications in novel ways. Chinese APT actors also began to leverage\r\nsupply chain vulnerabilities and to target third party providers to gain access to primary targets.\r\nRecently observed Chinese cyber espionage activity exhibits an increased diligence in operational security,\r\nfamiliarity with network defender investigation techniques, and cognizance of the forensic evidence they\r\nleave behind.\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html\r\nPage 7 of 13\n\nWe observe the resurgence of older Chinese espionage groups, including APT4 and APT5 after long\r\nperiods of dormancy and currently active groups engage in frequent and widespread campaigns.\r\nRedline Withdrawn?\r\nThe Obama-Xi agreement prohibits the theft of intellectual property with purely commercial applications for the\r\npurpose of gaining a competitive advantage. It does not cover government or diplomatic information, sensitive\r\nbusiness communications, IT data, PII, or intellectual property with military or dual use applications.\r\nWe have direct evidence of UNC2630, UNC2717 and other Chinese APT actors stealing credentials, email\r\ncommunications, and intellectual property with dual commercial and military applications.\r\nThroughout our investigations, we did not directly observe the staging or exfiltration of any data by\r\nChinese espionage actors that could be considered a violation of the Obama-Xi agreement.\r\nGiven the narrow definition of commercial intellectual property theft and the limited availability of forensic\r\nevidence, it is possible that our assessment will change with the discovery of new information.\r\nEvidence collected by Mandiant over the past decade suggests that norms and diplomatic agreements do not\r\nsignificantly limit China's use of its cyber threat capabilities, particularly when serving high-priority missions.\r\nThe greater ambition and risk tolerance demonstrated by Chinese policymakers since 2019 indicates that the\r\ntempo of Chinese state-sponsored activity may increase in the near future and that the Chinese cyber threat\r\napparatus presents a renewed and serious threat to US and European commercial entities.\r\nAcknowledgements\r\nMandiant would like to thank analysts at BAE Systems Applied Intelligence, Stroz Friedberg, and Pulse Secure\r\nfor their hard work, collaboration and partnership. The team would also like to thank Scott Henderson, Kelli\r\nVanderlee, Jacqueline O'Leary, Michelle Cantos, and all the analysts who worked on Mandiant’s Red Line\r\nRedrawn project. The team would also like to thank Mike Dockry, Josh Villanueva, Keith Knapp, and all the\r\nincident responders who worked on these engagements.\r\nAdditional Resources\r\nCISA Alert (AA21-110A): Exploitation of Pulse Connect Secure Vulnerabilities\r\nPulse Secure Advisory SA44101: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy\r\nSecure 9.0RX\r\nPulse Secure Advisory SA44784: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4\r\nPulse Secure Customer FAQ KB44764: PCS Security Integrity Tool Enhancements\r\nPulse Secure KB44755: Pulse Connect Secure (PCS) Integrity Assurance\r\nDetecting the Techniques\r\nThe following table contains specific FireEye product detection names for the malware families associated with\r\nthis updated information.\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html\r\nPage 8 of 13\n\nPlatform(s) Detection Name\r\nNetwork Security\r\nEmail Security\r\nDetection On Demand\r\nMalware File Scanning\r\nMalware File Storage\r\nScanning\r\nFE_APT_Tool_Linux32_BLOODMINE_1\r\nFE_APT_Tool_Linux_BLOODMINE_1\r\nFE_APT_Tool_Linux32_BLOODBANK_1\r\nFE_APT_Tool_Linux_BLOODBANK_1\r\nFE_APT_Tool_Linux32_CLEANPULSE_1\r\nFE_APT_Tool_Linux_CLEANPULSE_1\r\nFE_APT_Webshell_PL_RAPIDPULSE_1\r\nFEC_APT_Webshell_PL_RAPIDPULSE_1\r\nEndpoint Security\r\nReal-Time Detection (IOC)\r\nBLOODBANK (UTILITY)\r\nBLOODMINE (UTILITY)\r\nHelix\r\nEstablish Foothold\r\nWINDOWS METHODOLOGY [User Account Created]\r\nWINDOWS METHODOLOGY [User Created - Net Command]\r\nEscalate Privileges\r\nWINDOWS METHODOLOGY [Mimikatz Args]\r\nWINDOWS METHODOLOGY [Invoke-Mimikatz Powershell\r\nArtifacts]\r\nWINDOWS METHODOLOGY [LSASS Memory Access]\r\nWINDOWS METHODOLOGY [LSASS Generic Dump Activity]\r\nInternal Reconnaissance\r\nWINDOWS ANALYTICS [Recon Commands]\r\nMove Laterally\r\nWINDOWS ANALYTICS [Abnormal RDP Logon]\r\nOFFICE 365 ANALYTICS [Abnormal Logon]\r\nTechnical Annex\r\nBLOODMINE\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html\r\nPage 9 of 13\n\nBLOODMINE is a utility for parsing Pulse Secure Connect log files. It extracts information related to logins,\r\nMessage IDs and Web Requests and copies the relevant data to another file.\r\nThe sample takes three command line arguments\r\n1. Filename to read\r\n2. Filename to write\r\n3. Timeout interval\r\nIt parses the input file for login status codes:\r\nAUT31504\r\nAUT24414\r\nAUT22673\r\nAUT22886\r\nAUT23574\r\nIt parses the input file for web results code WEB20174. If it finds a web result code, it looks for file extensions:\r\n.css\r\n.jpg\r\n.png\r\n.gif\r\n.ico\r\n.js\r\n.jsp\r\nThese strings indicate the type of data that is collected from web requests:\r\nWeb login, IP: %s, User: %s, Realm: %s, Roles: %s, Browser: %s\r\nAgent login, IP: %s, User: %s, Realm: %s, Roles: %s, Client: %s\r\nLogout, IP: %s, User: %s, Realm: %s, Roles: %s\r\nSession end, IP: %s, User: %s, Realm: %s, Roles: %s\r\nNew session, IP: %s, User: %s, Realm: %s, Roles: %s, New IP: %s\r\nHost check, Policy: %s\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html\r\nPage 10 of 13\n\nWebRequest completed, IP: %s, User: %s, Realm: %s, Roles: %s, %s to %s://%s:%s/%s from %s\r\nBLOODBANK\r\nBLOODBANK is a credential theft utility that parses two LMDB (an in memory database) files and expects an\r\noutput file to be given at the command prompt. BLOODBANK takes advantage of a legitimate process that\r\nsupports Single Sign On functionality and looks for plaintext passwords when they are briefly loaded in memory.\r\nThe utility parses the following two files containing password hashes or plaintext passwords:\r\n/home/runtime/mtmp/lmdb/data0/data.mdb\r\n/home/runtime/mtmp/system\r\nBLOODBANK expects an output file as a command line parameter, otherwise it prints file open error. It contains\r\nthe following strings which it likely tries to extract and target.\r\nPRIMARY\r\nSECONDARY\r\nremoteaddr\r\nuser@\r\nlogicUR\r\nlogicTim\r\npassw@\r\nuserAge\r\nrealm\r\nSourc\r\nCLEANPULSE\r\nCLEANPULSE is a memory patching utility that may be used to prevent certain log events from occurring. The\r\nutility inserts two strings from the command line into the target process and patches code to conditionally\r\ncircumvent a function call in the original executable.\r\nFile Name File Type Size Compile Time\r\ndsrlog ELF.X86 13332  \r\nThe utility expects to be run from the command line as follows:\r\ndrslog\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html\r\nPage 11 of 13\n\nWhere is the pid process ID to patch in memory, and are two strings to write into the target process, and is either\r\n'e' or 'E' for installation or 'u' or 'U' for uninstallation.\r\nDuring installation (using the 'e' or 'E' ), the command line strings are written to the target process at hard-coded\r\nmemory addresses, a small amount of code is written, and a jump instruction to the code snippet is patched in\r\nmemory of the target process. The added code checks whether an argument is equal to either strings, and if, so\r\nskips a function call in the target process.\r\nDuring uninstall (using the 'u' or 'U' ) the patch jump location is overwritten with what appears to be the original 8\r\nbytes of instructions, and the two additional memory buffers and the code snippet appear to be overwritten with\r\nzeros.\r\nThe CLEANPULSE utility is highly specific to a victim environment. It does not contain any validation code\r\nwhen patching (i.e. verifying that code is expected prior to modifying it), and it contains hard-coded addresses to\r\npatch.\r\nThe target code to patch appears to be the byte sequence: 89 4C 24 08 FF 52 04. This appears as the last bytes in\r\nthe patched code, and is the 8-bytes written when the uninstall 'u' command is given.\r\nThese bytes correspond to the following two instructions:\r\n.data:0804B138 89 4C 24 08 mov [esp+8], ecx\r\n.data:0804B13C FF 52 04 call dword ptr [edx+4]\r\nThis byte sequence occurs at the hard-coded patch address the utility expects, dslogserver. Based on status and\r\nerror messages in nearby functions the executable dslogserver appears to be related to log event handling, and the\r\npurpose of the CLEANPULSE utility may be to prevent certain events from being logged.\r\nThere are several un-referenced functions that appear to have been taken from the open source project PUPYRAT.\r\nIt is likely that the actor re-purposed this open source code, using PUPYRAT as a simple template project.\r\nRAPIDPULSE\r\nRAPIDPULSE is a webshell capable of arbitrary file read. As is common with other webshells, RAPIDPULSE\r\nexists as a modification to a legitimate Pulse Secure file.\r\nThe webshell modifies the legitimate file's main routine which compares the HTTP query parameter with key\r\nname: deviceid to a specific key with value. If the parameter matches, then the sample uses an RC4 key to decrypt\r\nHTTP query parameter with key name: hmacTime. This decrypted value is a filename which the sample then\r\nopens, reads, RC4 encrypts with the same key, base64 encodes, then writes to stdout. The appliance redirects\r\nstdout as the response to HTTP requests. This serves as an encrypted file download for the attacker.\r\nIntegrity Checker Tool and Other Validation Checks\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html\r\nPage 12 of 13\n\nIn our public report, we noted two code families that manipulate check_integrity.sh, a legitimate script used during\r\na normal system upgrade. This validation script was modified by the actor to exit early so that it would not\r\nperform the intended checks.\r\nPer Ivanti, the validation provided by check_integrity.sh is a separate validation feature and not the same as the\r\nIntegrity Checker Tool (ICT) available on their website. They recommend that organizations use the online ICT to\r\nconfirm that hashes of files on their Pulse Secure devices match Ivanti’s list of known good hashes. Please note\r\nthat the ICT does not scan the rollback partition.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html" ], "report_names": [ "updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html" ], "threat_actors": [ { "id": "7e75ee53-c4d3-4260-8106-ed7b61d35f02", "created_at": "2023-12-08T02:00:05.765868Z", "updated_at": "2026-04-10T02:00:03.497413Z", "deleted_at": null, "main_name": "UNC2630", "aliases": [], "source_name": "MISPGALAXY:UNC2630", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13bedce4-3115-4563-afd5-068e3930e68e", "created_at": "2023-01-06T13:46:38.623775Z", "updated_at": "2026-04-10T02:00:03.042652Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "KEYHOLE PANDA", "BRONZE FLEETWOOD", "TEMP.Bottle", "Mulberry Typhoon", "Poisoned Flight" ], "source_name": "MISPGALAXY:APT5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e44de7cd-80f0-4f0e-a348-33da1947fd25", "created_at": "2023-12-08T02:00:05.724516Z", "updated_at": "2026-04-10T02:00:03.489003Z", "deleted_at": null, "main_name": "UNC2717", "aliases": [], "source_name": "MISPGALAXY:UNC2717", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0", "created_at": "2023-01-06T13:46:38.667954Z", "updated_at": "2026-04-10T02:00:03.061447Z", "deleted_at": null, "main_name": "APT4", "aliases": [ "PLA Navy", "MAVERICK PANDA", "BRONZE EDISON", "SODIUM", "Salmon Typhoon" ], "source_name": "MISPGALAXY:APT4", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d69ef1b-b6f3-47e1-be5a-87ac0fd5ff55", "created_at": "2024-04-24T02:00:49.599348Z", "updated_at": "2026-04-10T02:00:05.303948Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "APT5", "Mulberry Typhoon", "BRONZE FLEETWOOD", "Keyhole Panda", "UNC2630" ], "source_name": "MITRE:APT5", "tools": [ "Tasklist", "PoisonIvy", "RAPIDPULSE", "PcShare", "Mimikatz", "SLOWPULSE", "SLIGHTPULSE", "Skeleton Key", "gh0st RAT", "PULSECHECK", "netstat" ], "source_id": "MITRE", "reports": null }, { "id": "47a8f6c7-5b29-4892-8f47-1d46be71714f", "created_at": "2025-08-07T02:03:24.599925Z", "updated_at": "2026-04-10T02:00:03.720795Z", "deleted_at": null, "main_name": "BRONZE FLEETWOOD", "aliases": [ "APT5 ", "DPD ", "Keyhole Panda ", "Mulberry Typhoon ", "Poisoned Flight ", "TG-2754 " ], "source_name": "Secureworks:BRONZE FLEETWOOD", "tools": [ "Binanen", "Comfoo", "Gh0st RAT", "Isastart", "Leouncia", "Marade", "OrcaRAT", "PCShare", "Protux", "Skeleton Key", "SlyPidgin", "VinSelf" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434340, "ts_updated_at": 1775792144, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ee13cb5ded1db298f85974f5e42bb9150f751a9b.pdf", "text": "https://archive.orkl.eu/ee13cb5ded1db298f85974f5e42bb9150f751a9b.txt", "img": "https://archive.orkl.eu/ee13cb5ded1db298f85974f5e42bb9150f751a9b.jpg" } }