RAPIDPULSE is a web shell that exists as a modification to a legitimate Pulse Secure file that has been used by APT5 since at least 2021.[1]

ID: S1113
Platforms: Network, Linux
Version: 1.0
Created: 13 February 2024
Last Modified: 05 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

RAPIDPULSE retrieves files from the victim system via encrypted commands sent to the web shell.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

RAPIDPULSE listens for specific HTTP query parameters in received communications. If specific parameters match, a hard-coded RC4 key is used to decrypt the HTTP query paremter hmacTime. This decrypts to a filename that is then open, read, encrypted with the same RC4 key, base64-encoded, written to standard out, then passed as a response to the HTTP request.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

RAPIDPULSE has the ability to RC4 encrypt and base64 encode decrypted files on compromised servers prior to writing them to stdout.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

RAPIDPULSE is a web shell that is capable of arbitrary file read on targeted web servers to exfiltrate items of interest on the victim device.[1]

Groups That Use This Software

ID Name References
G1023 APT5