Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actorExploits 4 CVEs

THINBLOOD

THINBLOOD is a log-wiping utility used on compromised Pulse Secure (Pulse Connect Secure) SSL VPN appliances. It is associated with UNC2630 and has been linked in reporting to APT5/China-nexus activity. Mandiant/FireEye reported UNC2630 using THINBLOOD against U.S. Defense Industrial Base targets from at least August 2020 through March 2021 as part of broader exploitation of Pulse Secure appliances, including activity involving CVE-2021-22893 and older Pulse Secure vulnerabilities. THINBLOOD was used to clear SSL VPN log files under /home/runtime/logs. Specifically, the utility identified as dsclslog (SHA256: 88170125598a4fb801102ad56494a773895059ac8550a983fdd2ef429653f079) removes entries matching actor-supplied regular expressions from /home/runtime/logs/log.events.vc0 or /home/runtime/logs/log.access.vc0, using temporary copies followed by mv/rm operations. Its primary purpose is defense evasion and anti-forensics by deleting evidence of attacker activity from appliance logs. THINBLOOD is documented alongside other Pulse Secure malware families and utilities including SLOWPULSE, RADIALPULSE, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

4 CVES
CVE-2021-22893Authentication Bypass RCE in Pulse Connect SecureExploited in the wild

"...newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch available yet." ... "Ivanti ... has released temporary mitigations to address the arbitrary file execution vulnerability (CVE-2021-22893, CVSS score: 10)"

via the hacker newsthehackernews.com
CVE-2020-8260Authenticated RCE in Pulse Connect Secure admin web interface via uncontrolled gzip extraction

"UNC2630 - SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK"

via the hacker newsthehackernews.com
CVE-2020-8243Ivanti Pulse Connect Secure Admin Web Interface Template Upload RCE

"UNC2630 - SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK"

via the hacker newsthehackernews.com
CVE-2019-11510Pulse Secure Pulse Connect Secure Arbitrary File Read Vulnerability

UNC2630 targeted U.S. DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021.

via bleeping computerbleepingcomputer.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT5

APT5 has used the THINBLOOD utility to clear SSL VPN log files located at /home/runtime/logs.

via mitre attack websiteattack.mitre.org
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1
TacticInitial Access

"...zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance actively exploited... vulnerability tracked as CVE-2021-22893... exploited in the wild... to hack the networks... and execute arbitrary code remotely on Pulse Connect Secure gateways."

Persistence

2 techniques
T1546Event Triggered ExecutionEvidence1
TacticsPersistencePrivilege Escalation

"They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets."

T1556Modify Authentication ProcessEvidence1
TacticsPersistenceDefense ImpairmentCredential Access

"...harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks."

Privilege Escalation

1 technique
T1546Event Triggered ExecutionEvidence1
TacticsPersistencePrivilege Escalation

"They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets."

Stealth

2 techniques
T1070Indicator RemovalEvidence3
TacticStealth

APT5 has used the THINBLOOD utility to clear SSL VPN log files located at /home/runtime/logs.

T1070.002Clear Linux or Mac System LogsEvidence1
TacticStealth

"THINBLOOD... log wiper utility... modify... log.events.vc0 or log.access.vc0... overwrite the original log with the cleaned version"; "clear_log.sh... zeroing log lines that match a given regex".

Defense Impairment

1 technique
T1556Modify Authentication ProcessEvidence1
TacticsPersistenceDefense ImpairmentCredential Access

"...harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks."

Credential Access

2 techniques
T1003OS Credential DumpingEvidence1
TacticCredential Access

"They developed malware that enabled them to harvest Active Directory credentials..."

T1556Modify Authentication ProcessEvidence1
TacticsPersistenceDefense ImpairmentCredential Access

"...harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks."

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app2 years ago
hash.sha256●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
mitre attack websiteNews
Feb 5, 2024
APT5, Mulberry Typhoon, MANGANESE, BRONZE FLEETWOOD, Keyhole Panda, UNC2630, Group G1023 | MITRE ATT&CK®

Utility used to remove indicators by clearing SSL VPN log files.

Read more
the hacker newsNews
Apr 21, 2021
WARNING: Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations

Custom malware family associated with exploitation of Pulse Secure VPN appliances during intrusions attributed to UNC2630.

Read more
bleeping computerNews
Apr 20, 2021
Pulse Secure VPN zero-day used to hack defense firms, govt orgs

Malware used by UNC2630 in attacks leveraging Pulse Secure vulnerabilities to maintain long-term access and facilitate credential/data theft.

Read more
fireeyeNews
Apr 20, 2021
Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day

Log-wiping utility used to remove evidence from Pulse Secure appliance logs by deleting/zeroing entries matching attacker-supplied regex patterns (compiled dsclslog variant and a sed-based shell script variant).

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities4

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.