S1110: SLIGHTPULSE
SLIGHTPULSE is a web shell that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.[1]
Analyst context for executives and security teams
SLIGHTPULSE matters because it represents web-shell tradecraft on network devices and Linux systems, including reported use against Pulse Secure VPNs in sensitive defense-sector environments. For leaders, the decision point is not just “do we know this malware name,” but whether internet-facing VPN and web-accessible infrastructure have logging, integrity monitoring, patch governance, and incident response procedures strong enough to find and contain unauthorized web-shell access.
Executive priority
Prioritize this as an edge-device and remote-access resilience issue. The ATT&CK context links SLIGHTPULSE to APT5 and to behaviors such as web shell persistence, command execution, local data collection, staging, tool transfer, and web-based command-and-control. Executives should ask whether VPN/network device security is included in vulnerability management, whether SOC telemetry covers appliance web traffic and file/process changes, and whether incident responders can preserve evidence from network devices before reimaging or replacement.
Technical view
SOC and IR teams should validate coverage around Linux and network-device web services rather than relying on endpoint-only controls. Relationship context maps SLIGHTPULSE to T1505.003 Web Shell, T1059 Command and Scripting Interpreter, T1005 Data from Local System, T1074.001 Local Data Staging, T1105 Ingress Tool Transfer, T1071.001 Web Protocols, T1132.001 Standard Encoding, T1140 Deobfuscate/Decode Files or Information, and T1573.001 Symmetric Cryptography. Practical validation should focus on unusual web requests to administrative or appliance paths, unexpected server-side files, command execution from web service contexts, encoded or encrypted payload patterns in web traffic, and evidence of files being collected or staged locally.
Likely telemetry
- VPN and network device administrative logs, including authentication, web requests, configuration changes, and error logs
- Web server or appliance access logs for HTTP/S requests, unusual parameters, upload activity, and unexpected response sizes
- File integrity or configuration monitoring for web-accessible directories and appliance software paths where available
- Linux process execution telemetry showing commands spawned by web service or appliance processes
- Network telemetry for outbound HTTP/S connections from network devices or Linux web servers
Detection direction
- Because MITRE provides no official detection text for SLIGHTPULSE, build detections from the related techniques and local device behavior baselines.
- Hunt for web shell persistence indicators: newly created or modified web-accessible files, unusual script extensions, and web requests followed by command execution.
- Correlate inbound web activity to subsequent local command execution, file discovery, data staging, or outbound web connections.
- Review encoded or unusually structured request parameters and payloads, but tune carefully because standard encoding and encryption can also appear in legitimate application traffic.
- Pay special attention to blind spots on network appliances and VPN infrastructure, where EDR, process logging, and file integrity monitoring are often weaker than on servers.
Mitigation priorities
- Ensure exposed VPN, web, and network-device software is included in vulnerability management, patch prioritization, and emergency change processes.
- Restrict administrative access to network devices and VPNs using least privilege, strong authentication, and management-plane segmentation where applicable.
- Enable and retain appliance, web, and Linux logs long enough to support incident response and compliance evidence needs.
- Implement file integrity/configuration monitoring for web-accessible and appliance paths where the platform supports it.
- Prepare IR playbooks for suspected web shell activity on network devices, including evidence preservation, credential review, configuration backup, and containment steps.
Analyst notes and limits
The supplied ATT&CK object identifies SLIGHTPULSE as a web shell used by APT5 as early as 2020, including against Pulse Secure VPNs at US Defense Industrial Base entities. The strongest defensive value is in using the relationship-mapped techniques to assess coverage for edge infrastructure, web shell persistence, command execution, collection, staging, transfer, and web-based C2 behaviors.
ATT&CK does not provide official detection guidance, aliases, labels, or explicit tactics for this malware object. The object supports Network Devices and Linux platforms only. Local conclusions require environment-specific telemetry, affected product context, patch state, and forensic evidence; this summary should not be read as a claim of current exploitation or confirmed exposure.
SLIGHTPULSE
SLIGHTPULSE is a web shell that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1074.001 | Local Data Staging Sub-technique | SLIGHTPULSE has piped the output from executed commands to `/tmp/1`.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | SLIGHTPULSE can base64 encode all incoming and outgoing C2 messages.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1505.003 | Web Shell Sub-technique | SLIGHTPULSE is a web shell that can read, write, and execute files on compromised servers.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | RAPIDPULSE can transfer files to and from compromised hosts.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | SLIGHTPULSE can deobfuscate base64 encoded and RC4 encrypted C2 messages.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1005 | Data from Local System | SLIGHTPULSE can read files specified on the local system.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1059 | Command and Scripting Interpreter | SLIGHTPULSE contains functionality to execute arbitrary commands passed to it.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | SLIGHTPULSE has the ability to process HTTP GET requests as a normal web server and to insert logic that will read or write files or execute commands in response to HTTP POST requests.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | SLIGHTPULSE can RC4 encrypt all incoming and outgoing C2 messages.CitationMandiant Pulse Secure Zero-Day April 2021 |
Groups, software, and campaigns
G1023: APT5
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f1a7a6da625f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Pulse Secure Zero-Day April 2021
Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
Open source URL -
[2]
mitre-attack S1110Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.