Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actorExploits 4 CVEs

PULSEJUMP

PULSEJUMP is a Perl-based information and credential harvesting script used in compromises of Pulse Secure (Pulse Connect Secure) VPN appliances. Mandiant/FireEye reported it as malware used by UNC2717, which targeted global government agencies between October 2020 and March 2021; in March 2021, UNC2717 was observed using RADIALPULSE, PULSEJUMP, and HARDPULSE at a European organization. The malware is described as harvesting system information and credentials and writing collected results to /tmp/dsactiveuser.statementcounters. A reported sample has SHA256 7fa71a7f76ef63465cfeacf58217e0b66fc71bc81d37c44380a6f572b8a3ec7a. The broader intrusion activity involved exploitation of Pulse Secure vulnerabilities, including CVE-2021-22893 and previously disclosed flaws, to compromise VPN appliances, bypass authentication controls, and maintain access. High-confidence indicators directly associated with PULSEJUMP in the content are its Perl implementation, the output path /tmp/dsactiveuser.statementcounters, its use by UNC2717, and the cited SHA256 hash.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

4 CVES
CVE-2021-22893Authentication Bypass RCE in Pulse Connect SecureExploited in the wild

"...newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch available yet." ... "Ivanti ... has released temporary mitigations to address the arbitrary file execution vulnerability (CVE-2021-22893, CVSS score: 10)"

via the hacker newsthehackernews.com
CVE-2020-8243Ivanti Pulse Connect Secure Admin Web Interface Template Upload RCE

"UNC2717 - HARDPULSE, QUIETPULSE, AND PULSEJUMP"

via the hacker newsthehackernews.com
CVE-2019-11510Pulse Secure Pulse Connect Secure Arbitrary File Read Vulnerability

"UNC2717 - HARDPULSE, QUIETPULSE, AND PULSEJUMP"

via the hacker newsthehackernews.com
CVE-2020-8260Authenticated RCE in Pulse Connect Secure admin web interface via uncontrolled gzip extraction

"UNC2717 - HARDPULSE, QUIETPULSE, AND PULSEJUMP"

via the hacker newsthehackernews.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC2717

"UNC2717 - HARDPULSE, QUIETPULSE, AND PULSEJUMP"

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1
TacticInitial Access

"...zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance actively exploited... vulnerability tracked as CVE-2021-22893... exploited in the wild... to hack the networks... and execute arbitrary code remotely on Pulse Connect Secure gateways."

Persistence

2 techniques
T1546Event Triggered ExecutionEvidence1
TacticsPersistencePrivilege Escalation

"They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets."

T1556Modify Authentication ProcessEvidence1
TacticsPersistenceDefense ImpairmentCredential Access

"...harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks."

Privilege Escalation

1 technique
T1546Event Triggered ExecutionEvidence1
TacticsPersistencePrivilege Escalation

"They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets."

Defense Impairment

1 technique
T1556Modify Authentication ProcessEvidence1
TacticsPersistenceDefense ImpairmentCredential Access

"...harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks."

Credential Access

2 techniques
T1003OS Credential DumpingEvidence1
TacticCredential Access

"They developed malware that enabled them to harvest Active Directory credentials..."

T1556Modify Authentication ProcessEvidence1
TacticsPersistenceDefense ImpairmentCredential Access

"...harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks."

Collection

1 technique
T1005Data from Local SystemEvidence1
TacticCollection

"PULSEJUMP... system information and credential harvesting... writes information... to /tmp/dsactiveuser.statementcounters"; multiple tools write stolen creds/output to /tmp/*.statementcounters or other local paths.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the hacker newsNews
Apr 21, 2021
WARNING: Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations

Custom malware family associated with exploitation of Pulse Secure VPN appliances during intrusions attributed to UNC2717.

Read more
bleeping computerNews
Apr 20, 2021
Pulse Secure VPN zero-day used to hack defense firms, govt orgs

Malware used by UNC2717 in PCS gateway intrusions to maintain access and support credential theft/bypass of MFA on Pulse Secure devices.

Read more
fireeyeNews
Apr 20, 2021
Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day

Perl script that harvests system/auth configuration information (e.g., auth servers, roles) and writes collected data to /tmp/dsactiveuser.statementcounters; also referenced alongside credential-recording artifacts in the report.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities4

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.