Malware Tools That Compromise Pulse Secure VPN Devices 2 scaled

12 Malware Tools That Compromised Pulse Secure VPN Devices

Reading Time: 3 minutes

Last Updated on May 29, 2021 by Calvin C.

At least 12 malware tools that compromised Pulse Secure VPN devices were discovered by researchers from FireEye.

They identified Chinese-aligned bad actors who executed a malware attack on Pulse Secure VPN devices in order to steal sensitive information from enterprise networks.

malware tools that compromised pulse secure vpn devices

Pulse Secure VPN Vulnerabilities

This service is used by organizations around the world to provide secure access to business systems.

Only authenticated users are able to connect to the network and this helps keep sensitive company data out of reach of cybercriminals.

However, vulnerabilities in Pulse Secure VPN software left a door open to hackers, thus putting businesses at a high risk.

On April 2021, FireEye’s Mandiant cybersecurity team released a detailed report highlighting malware attacks against defense, government, technology, transport and financial organizations, capitalizing on flaws in the software.

The main advanced persistent threat (APT) groups identified in these attacks were UNC2630 and UNC2717.

These two APT groups both “support key Chinese government priorities.”

“Many compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives outlined in China’s recent 14th Five Year Plan,” Mandiant said in a report. “While there is evidence of data theft at many organizations, we have not directly observed the staging or exfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi agreement.”

In the original report, 12 malware families and tools were discovered in April and included the following:

UNC2630 : Slowpulse, Radialpulse, Thinblood, Atrium, Pacemaker, Slightpulse, and Pulsecheck.

UNC2717 : Hardpulse, Quietplease, and Pulsejump.

Continued investigations uncovered 4 more malware families:

UNC2630 — Bloodmine, Bloodbank, Cleanpulse, and Rapidpulse.

These were mainly used to extract sensitive system data and credentials, allow arbitrary file execution and remove forensic evidence.

In detail, the malware performs these actions:

Bloodmine: Parses PSG log files and extracts information linked to logins, message IDs and web requests

Bloodbank: Designed for credential theft and passes files containing password hashes and plain text credentials

Cleanpulse: Memory patching tool for blocking specific log events

Rapidpulse: This webshell is a modification to a specific Pulse Secure file and is capable of arbitrary file read plus acts as an encrypted file downloader.

At the core of the attack on Pulse Secure VPN is a major vulnerability, CVE-2021-22893, that was recently patched.

The unauthenticated attackers used this vulnerability to get the initial foothold, gaining the ability to perform remote arbitrary code execution (RCE)

Other vulnerabilities that were discovered were CVE-2019-11510, CVE-2020-8260 and CVE-2020-8243.

These are used to establish persistence on a vulnerable device in order to cause more damage.

“Both UNC2630 and UNC2717 display advanced tradecraft and go to impressive lengths to avoid detection. 

The actors modify file timestamps and regularly edit or delete forensic evidence such as logs, web server core dumps, and files staged for exfiltration,” the FireEye’s researchers said. 

“They also demonstrate a deep understanding of network appliances and advanced knowledge of a targeted network. 

This tradecraft can make it difficult for network defenders to establish a complete list of tools used, credentials stolen, the initial intrusion vector, or the intrusion start date.”


Ivanti, the parent company for Pulse Secure, released patches and an integrity tool so that users check for the vulnerabilities and apply the patches as soon as possible.


Cyberattacks on businesses have increased especially due to an increase in remote working.

Make sure your business is secure and you keep your systems up-to-date.

There is also a rise in ransomware attacks as I covered in another news article so make sure you check out what you need to do.

At individual level, always use a trusted VPN service when you are online to browse anonymously and securely.

  • Strong security
  • No logs
  • No DNS leaks
  • Adblock
  • Antimalware
  • 68% off a 2-year plan
  • 30-day money-back guarantee

Share the article with your colleagues on social media and like us on Facebook and Twitter.

Tech writer and VPN expert. DIY enthusiast and loves anything to do with space science.

Leave a Reply

Your email address will not be published. Required fields are marked *