S1104: SLOWPULSE
Analyst context for executives and security teams
SLOWPULSE matters because it targets the trust boundary around VPN access, not just endpoint malware cleanup. The ATT&CK entry describes malware used against Pulse Secure VPN environments that can modify legitimate VPN files to log credentials and bypass single- and two-factor authentication flows. For leaders, the key risk is that remote-access infrastructure may appear to be enforcing authentication while the underlying device or software has been altered.
Executive priority
Prioritize this as an identity, remote-access, and network-device integrity issue. The business decision is whether VPN appliances and authentication paths have sufficient integrity monitoring, forensic readiness, and incident response playbooks to prove they have not been modified. This is especially relevant for organizations where VPN availability and trusted access are material to business continuity, regulated access control evidence, or sensitive third-party connectivity.
Technical view
SOC and IR teams should validate controls around network device file integrity, authentication flow integrity, and credential collection indicators for Pulse Secure VPN-related infrastructure. ATT&CK provides no official detection text for SLOWPULSE, so detection should be driven by the relationship context: modified host software binaries, network device authentication manipulation, MFA interception or modification, obfuscated files or information, and possible local staging. Treat suspicious changes to legitimate VPN files, unexpected authentication behavior, and anomalous local files on the appliance as investigation triggers rather than standalone proof.
Likely telemetry
- VPN appliance configuration and system file integrity data
- Authentication logs for single-factor and MFA flows through the VPN
- Administrative access logs for network devices and VPN management interfaces
- Network device system logs and upgrade or image modification records
- Credential-related anomalies such as unexpected successful logons, repeated MFA irregularities, or session behavior inconsistent with normal users
Detection direction
- Baseline legitimate VPN appliance files and monitor for unauthorized modification where the platform supports it.
- Correlate VPN authentication events with identity provider and MFA logs to identify bypass-like inconsistencies, not just failed logons.
- Review network device administrative activity for unexpected changes around authentication modules, system images, or software binaries.
- Hunt for obfuscated or unusual files on network devices and related management systems, while accounting for vendor updates and maintenance windows as likely false-positive sources.
- Because ATT&CK lists no official detection guidance, require local validation through appliance logs, file integrity evidence, and IR-ready forensic procedures.
Mitigation priorities
- Maintain a verified inventory of VPN and network access appliances, their software versions, and approved file or image baselines.
- Restrict and monitor administrative access to VPN and network devices, including strong change control for authentication-related components.
- Ensure MFA and identity logs are retained and correlated with VPN session logs so bypass or interception concerns can be investigated.
- Prepare incident response procedures for network devices, including forensic acquisition, credential reset scope, and appliance rebuild or reimage decisions when integrity cannot be trusted.
- Use threat intelligence and vendor advisories from the cited reference to inform vulnerability management and exposure review without assuming current exploitation in the local environment.
Analyst notes and limits
The ATT&CK object identifies SLOWPULSE as malware used by APT5 as early as 2020, including against U.S. Defense Industrial Base companies, and describes variants that modify legitimate Pulse Secure VPN files to log credentials and bypass single- and two-factor authentication flows. The relationship context links the malware to techniques involving obfuscation, local staging, MFA interception, host software binary compromise, and authentication manipulation on network devices and MFA systems.
Official ATT&CK detection guidance is not provided for this object. The object platform is limited to Network Devices, while some related techniques list broader platforms; those broader platforms should not be assumed for SLOWPULSE without local evidence. This take is based only on supplied ATT&CK fields, external references, and relationships and does not assert active exploitation, customer exposure, or guaranteed detection coverage.
SLOWPULSE
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1556.004 | Network Device Authentication Sub-technique | SLOWPULSE can modify LDAP and two factor authentication flows by inspecting login credentials and forcing successful authentication if the provided password matches a chosen backdoor password.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1111 | Multi-Factor Authentication Interception | SLOWPULSE can log credentials on compromised Pulse Secure VPNs during the `DSAuth::AceAuthServer::checkUsernamePassword`ACE-2FA authentication procedure.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1556.006 | Multi-Factor Authentication Sub-technique | SLOWPULSE can insert malicious logic to bypass RADIUS and ACE two factor authentication (2FA) flows if a designated attacker-supplied password is provided.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | SLOWPULSE can write logged ACE credentials to `/home/perl/PAUS.pm` in append mode, using the format string `%s:%s\n`.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1554 | Compromise Host Software Binary | SLOWPULSE is applied in compromised environments through modifications to legitimate Pulse Secure files.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | SLOWPULSE can hide malicious code in the padding regions between legitimate functions in the Pulse Secure `libdsplibs.so` file.CitationMandiant Pulse Secure Zero-Day April 2021 |
Groups, software, and campaigns
G1023: APT5
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 8b1c5c709490… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Pulse Secure Zero-Day April 2021
Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
Open source URL -
[2]
mitre-attack S1104Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.