PACEMAKER

PACEMAKER is a credential stealer that was used byAPT5 as early as 2020 including activity against US Defense Industrial Base (DIB) companies.^[1]

ID: S1109

ⓘ

Type: MALWARE

ⓘ

Platforms: Network Devices, Linux

Version: 1.1

Created: 08 February 2024

Last Modified: 15 April 2025

Techniques Used

Domain	ID		Name	Use
Enterprise	T1119		Automated Collection	PACEMAKER can enter a loop to read`/proc/` entries every 2 seconds in order to read a target application's memory.^[1]
Enterprise	T1059	.004	Command and Scripting Interpreter:Unix Shell	PACEMAKER can use a simple bash script for execution.^[1]
Enterprise	T1074	.001	Data Staged:Local Data Staging	PACEMAKER has written extracted data to`tmp/dsserver-check.statementcounters`.^[1]
Enterprise	T1083		File and Directory Discovery	PACEMAKER can parse`/proc/"process_name"/cmdline` to look for the string`dswsd` within the command line.^[1]
Enterprise	T1003	.007	OS Credential Dumping:Proc Filesystem	PACEMAKER has the ability to extract credentials from OS memory.^[1]
Enterprise	T1055	.008	Process Injection:Ptrace System Calls	PACEMAKER can use PTRACE to attach to a targeted process to read process memory.^[1]

ID	Name	References
G1023	APT5	^[1]