Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actorExploits 4 CVEs

QUIETPULSE

QUIETPULSE is malware used in compromises of Pulse Secure (Pulse Connect Secure) VPN appliances. It was observed in activity tracked by Mandiant/FireEye as UNC2717, which targeted global government agencies between October 2020 and March 2021. The malware modifies the legitimate Perl script dsserver (SHA256: 9f6ac39707822d243445e30d27b8404466aa69c61119d5308785bf4a464a9ebd) so that it forks and executes /home/bin/dshelper. The associated dshelper script (SHA256: c774eca633136de35c9d2cd339a3b5d29f00f761657ea2aa438de4f33e4bbba4) runs in a loop every two minutes and functions as a utility script responsible for copying files and executing commands. It is used to maintain persistence, including copying or restoring malicious files into /tmp/data during upgrades and modifying integrity checks. QUIETPULSE was reported alongside HARDPULSE and PULSEJUMP in UNC2717 intrusions against government victims. The broader intrusion set involved exploitation of Pulse Secure vulnerabilities, including CVE-2021-22893 and previously disclosed flaws, to gain access to appliances and maintain long-term access.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

4 CVES
CVE-2021-22893Authentication Bypass RCE in Pulse Connect SecureExploited in the wild

"...newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch available yet." ... "Ivanti ... has released temporary mitigations to address the arbitrary file execution vulnerability (CVE-2021-22893, CVSS score: 10)"

via the hacker newsthehackernews.com
CVE-2020-8260Authenticated RCE in Pulse Connect Secure admin web interface via uncontrolled gzip extraction

"UNC2717 - HARDPULSE, QUIETPULSE, AND PULSEJUMP"

via the hacker newsthehackernews.com
CVE-2019-11510Pulse Secure Pulse Connect Secure Arbitrary File Read Vulnerability

"UNC2717 - HARDPULSE, QUIETPULSE, AND PULSEJUMP"

via the hacker newsthehackernews.com
CVE-2020-8243Ivanti Pulse Connect Secure Admin Web Interface Template Upload RCE

"UNC2717 - HARDPULSE, QUIETPULSE, AND PULSEJUMP"

via the hacker newsthehackernews.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC2717

"UNC2717 - HARDPULSE, QUIETPULSE, AND PULSEJUMP"

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1
TacticInitial Access

"...zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance actively exploited... vulnerability tracked as CVE-2021-22893... exploited in the wild... to hack the networks... and execute arbitrary code remotely on Pulse Connect Secure gateways."

Persistence

3 techniques
T1543Create or Modify System ProcessEvidence1
TacticsPersistencePrivilege Escalation

"QUIETPULSE... modified... to fork the child process /home/bin/dshelper"; dshelper loop re-inserts webshell code and ensures dsserver/dshelper persist in /tmp/data across upgrades.

T1546Event Triggered ExecutionEvidence1
TacticsPersistencePrivilege Escalation

"They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets."

T1556Modify Authentication ProcessEvidence1
TacticsPersistenceDefense ImpairmentCredential Access

"...harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks."

Privilege Escalation

2 techniques
T1543Create or Modify System ProcessEvidence1
TacticsPersistencePrivilege Escalation

"QUIETPULSE... modified... to fork the child process /home/bin/dshelper"; dshelper loop re-inserts webshell code and ensures dsserver/dshelper persist in /tmp/data across upgrades.

T1546Event Triggered ExecutionEvidence1
TacticsPersistencePrivilege Escalation

"They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets."

Defense Impairment

1 technique
T1556Modify Authentication ProcessEvidence1
TacticsPersistenceDefense ImpairmentCredential Access

"...harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks."

Credential Access

2 techniques
T1003OS Credential DumpingEvidence1
TacticCredential Access

"They developed malware that enabled them to harvest Active Directory credentials..."

T1556Modify Authentication ProcessEvidence1
TacticsPersistenceDefense ImpairmentCredential Access

"...harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks."

Other

1 technique
T1562.001Disable or Modify ToolsEvidence1

"LOCKPICK Patcher... running sed on the integrity checker... insert an early exit routine... causes this script to exit without performing its intended checks"; QUIETPULSE check 4 changes check_integrity.sh from exit 1 to exit 0.

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app2 years ago
hash.sha256●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the hacker newsNews
Apr 21, 2021
WARNING: Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations

Custom malware family associated with exploitation of Pulse Secure VPN appliances during intrusions attributed to UNC2717.

Read more
bleeping computerNews
Apr 20, 2021
Pulse Secure VPN zero-day used to hack defense firms, govt orgs

Malware used by UNC2717 in Pulse Secure compromises; part of a toolset enabling persistent access and credential harvesting.

Read more
fireeyeNews
Apr 20, 2021
Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day

Persistence/utility tooling where a modified dsserver forks a non-standard helper script (dshelper) that repeatedly checks and re-inserts malicious modifications into upgrade-staged files under /tmp/data, helping maintain backdoors/webshells and tamper with integrity checks across upgrades.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities4

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.