STEADYPULSE
STEADYPULSE is a web shell that infects targeted Pulse Secure VPN servers through modification of a legitimate Perl script that was used as early as 2020 including in activity against US Defense Industrial Base (DIB) entities.[1]
ID: S1112
ⓘ
Type: MALWARE
ⓘ
Platforms: Network Devices
Version: 1.1
Created: 09 February 2024
Last Modified: 15 April 2025
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | STEADYPULSE can parse web requests made to a targeted server to determine the next stage of execution.[1] |
| Enterprise | T1132 | .001 | Data Encoding:Standard Encoding | STEADYPULSE can transmit URL encoded data over C2.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | STEADYPULSE can URL decode key/value pairs sent over C2.[1] | |
| Enterprise | T1105 | Ingress Tool Transfer | STEADYPULSE can add lines to a Perl script on a targeted server to import additional Perl modules.[1] | |
| Enterprise | T1505 | .003 | Server Software Component:Web Shell | STEADYPULSE is a web shell that can enable the execution of arbitrary commands on compromised web servers.[1] |
References
×