SLIGHTPULSE is a web shell that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.[1]

ID: S1110
Platforms: Network, Linux
Version: 1.0
Created: 09 February 2024
Last Modified: 10 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

SLIGHTPULSE has the ability to process HTTP GET requests as a normal web server and to insert logic that will read or write files or execute commands in response to HTTP POST requests.[1]

Enterprise T1059 Command and Scripting Interpreter

SLIGHTPULSE contains functionality to execute arbitrary commands passed to it.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

SLIGHTPULSE can base64 encode all incoming and outgoing C2 messages.[1]

Enterprise T1005 Data from Local System

SLIGHTPULSE can read files specified on the local system.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

SLIGHTPULSE has piped the output from executed commands to /tmp/1.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

SLIGHTPULSE can deobfuscate base64 encoded and RC4 encrypted C2 messages.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

SLIGHTPULSE can RC4 encrypt all incoming and outgoing C2 messages.[1]

Enterprise T1105 Ingress Tool Transfer

RAPIDPULSE can transfer files to and from compromised hosts.[2]

Enterprise T1505 .003 Server Software Component: Web Shell

SLIGHTPULSE is a web shell that can read, write, and execute files on compromised servers.[1]

Groups That Use This Software

ID Name References
G1023 APT5