CLEANPULSE
CLEANPULSE is a Pulse Secure-focused memory patching utility associated with APT5 and with suspected Chinese espionage activity tracked by Mandiant in compromises of Pulse Secure VPN appliances. It is described as a utility that may be used to prevent certain log events from occurring, and as a process-injection or memory-patching tool used to insert command-line strings into a targeted process to alter its functionality. Reporting states APT5 used CLEANPULSE to prevent certain log events from occurring, supporting defense evasion and log tampering on compromised systems. Mandiant identified CLEANPULSE as one of multiple malware families exclusively designed to infect Pulse Secure VPN appliances, and noted it was found near an ATRIUM web shell during investigations into intrusions affecting sectors including defense, government, high tech, transportation, and financial organizations in the U.S. and Europe. High-confidence behavior directly described in the content is limited to memory patching, process manipulation, and suppression of logging-related events; no specific standalone IOCs are provided in the source content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"CLEANPULSE is a memory patching utility that may be used to prevent certain log events from occurring."
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"CLEANPULSE is a memory patching utility that may be used to prevent certain log events from occurring."
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Privilege Escalation
1 technique"Sandworm Team loaded BlackEnergy into svchost.exe, which then launched iexplore.exe for their C2." / "VEILEDSIGNAL uses process injection to inject the C2 communication module code..." / "...inject shellcode into svchost.exe" / "...VirtualAlloc, WriteProcessMemory, and then CreateRemoteThread..."
Stealth
1 technique"Sandworm Team loaded BlackEnergy into svchost.exe, which then launched iexplore.exe for their C2." / "VEILEDSIGNAL uses process injection to inject the C2 communication module code..." / "...inject shellcode into svchost.exe" / "...VirtualAlloc, WriteProcessMemory, and then CreateRemoteThread..."
Other
1 techniqueRecent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Utility used for process injection and log evasion by altering targeted process functionality to block indicators.
Memory patching utility used on Pulse Secure appliances to modify a running process in-memory (notably log-handling components) to conditionally bypass function calls, likely suppressing or altering logging/forensic visibility.
Utility used to modify a target process by inserting command-line strings to alter behavior.
Alters a target process by inserting command-line strings to change functionality.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.