S1109: PACEMAKER
Analyst context for executives and security teams
PACEMAKER matters because it is a credential-stealing malware entry tied by ATT&CK to Linux and network-device environments, not just standard endpoints. For leaders, the key issue is whether credential exposure from infrastructure systems would be detected quickly enough to protect remote access, administrative access, and downstream business operations. ATT&CK notes historical use by APT5 as early as 2020, including activity against U.S. Defense Industrial Base companies, so organizations with sensitive engineering, telecom, aerospace, defense, or critical supplier roles should treat network-device and Linux credential telemetry as a resilience requirement, not a niche logging problem.
Executive priority
Prioritize validation of credential-theft visibility on Linux hosts and network devices, especially systems that support remote access, administration, or sensitive environments. The business question is not simply whether PACEMAKER is present; it is whether the organization can prove it monitors suspicious credential access, shell execution, local staging, file discovery, and process manipulation on the infrastructure where high-value credentials may reside. Because ATT&CK provides no official detection guidance for this malware, coverage should be demonstrated through control testing, incident response runbooks, and audit-ready evidence of logging and review.
Technical view
SOC and IR teams should map PACEMAKER coverage through its ATT&CK relationships: Proc Filesystem credential access (T1003.007), ptrace system call process injection behavior (T1055.008), Unix shell execution (T1059.004), local data staging (T1074.001), file and directory discovery (T1083), and automated collection (T1119). On supported platforms, validate whether Linux and network-device monitoring can observe unusual access to /proc-related process memory interfaces, suspicious ptrace activity, unexpected shell command execution, enumeration of sensitive directories, creation of temporary staging locations, and automated collection patterns. Treat the lack of MITRE-provided detection text as a prompt for environment-specific detection engineering rather than as evidence of low risk.
Likely telemetry
- Linux process execution and command-line history where available
- Linux audit or equivalent syscall telemetry for ptrace and sensitive /proc access
- File creation, modification, and staging activity on Linux systems
- File and directory enumeration activity on Linux and network devices where logs support it
- Network-device administrative, authentication, and shell/session logs
Detection direction
- Confirm whether monitoring covers both Linux hosts and network devices; endpoint-only visibility may miss the platforms named in ATT&CK.
- Build or validate analytics around suspicious /proc access and ptrace usage, accounting for legitimate debugging and administrative tooling as likely false-positive sources.
- Correlate shell execution with file discovery, automated collection, and local staging rather than relying on any single event type.
- Tune detections for privileged or unusual users, unusual parent-child process relationships, unexpected directories, and activity on systems that should have limited interactive administration.
- Use the APT5 relationship only as threat-context enrichment; do not assume attribution from PACEMAKER-like behavior without separate evidence.
Mitigation priorities
- Harden and monitor administrative access to Linux systems and network devices, including least privilege and strong authentication controls.
- Reduce credential exposure on infrastructure systems by reviewing where secrets, session material, and administrative credentials can be accessed or staged.
- Enable and retain security-relevant logging for Linux process activity, shell execution, file activity, authentication, and network-device administration.
- Restrict unnecessary debugging or process-tracing capabilities where operationally feasible, while preserving approved administrative use cases.
- Prepare IR playbooks for suspected credential theft from Linux or network infrastructure, including credential rotation, scope validation, and forensic preservation.
Analyst notes and limits
This take is based on the official ATT&CK PACEMAKER software object S1109, its external Mandiant reference, and the supplied relationships to APT5 and ATT&CK techniques. The most useful defensive value comes from mapping the malware to observable behavior classes rather than searching only for a malware name.
ATT&CK provides no official detection text, aliases, labels, or explicit tactics for the PACEMAKER object itself. The object states historical use by APT5 and supported platforms of Network Devices and Linux, but local exposure, current activity, and detection effectiveness require organization-specific evidence. Technique relationship descriptions are partial and should be validated against the full ATT&CK entries when building detections.
PACEMAKER
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003.007 | Proc Filesystem Sub-technique | PACEMAKER has the ability to extract credentials from OS memory.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1055.008 | Ptrace System Calls Sub-technique | PACEMAKER can use PTRACE to attach to a targeted process to read process memory.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1119 | Automated Collection | PACEMAKER can enter a loop to read `/proc/` entries every 2 seconds in order to read a target application's memory.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | PACEMAKER can use a simple bash script for execution.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1083 | File and Directory Discovery | PACEMAKER can parse `/proc/"process_name"/cmdline` to look for the string `dswsd` within the command line.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | PACEMAKER has written extracted data to `tmp/dsserver-check.statementcounters`.CitationMandiant Pulse Secure Zero-Day April 2021 |
Groups, software, and campaigns
G1023: APT5
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 4562afd54635… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Pulse Secure Zero-Day April 2021
Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
Open source URL -
[2]
mitre-attack S1109Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.