S1112: STEADYPULSE
STEADYPULSE is a web shell that infects targeted Pulse Secure VPN servers through modification of a legitimate Perl script that was used as early as 2020 including in activity against US Defense Industrial Base (DIB) entities.[1]
Analyst context for executives and security teams
STEADYPULSE matters because it represents a web shell implanted on targeted Pulse Secure VPN servers by modifying a legitimate Perl script. For leaders, the key issue is not only malware on a network device; it is persistence on a remote-access gateway that may sit at the boundary of identity, access, and internal network connectivity. Because ATT&CK provides no official detection guidance for this software, organizations should treat coverage as something to validate with their own VPN, web, file-integrity, and network telemetry rather than assume existing endpoint monitoring will see it.
Executive priority
Prioritize this as a remote-access infrastructure risk. VPN appliances are often business-critical and may not have the same monitoring depth as standard servers or endpoints. Security leaders should ask whether Pulse Secure VPN servers and similar network devices are included in vulnerability management, configuration integrity monitoring, incident response evidence collection, and compliance evidence for privileged access infrastructure. Budget and control decisions should focus on visibility into appliance changes, web shell persistence, and command-and-control over normal-looking web protocols.
Technical view
ATT&CK identifies STEADYPULSE as malware for Network Devices and describes it as a web shell affecting targeted Pulse Secure VPN servers through modification of a legitimate Perl script. Relationship context links it to Web Shell persistence, Web Protocols command-and-control, Ingress Tool Transfer, Standard Encoding, and Deobfuscate/Decode Files or Information. SOC and IR teams should validate whether they can detect unauthorized changes to VPN appliance web or Perl script files, unusual HTTP/S interactions with the VPN appliance, encoded or abnormal request/response content, and file transfer behavior involving the device. Because official detection text is not provided, detection engineering should be based on local baselines, vendor-supported logs, file integrity evidence, and network traffic review.
Likely telemetry
- VPN appliance administrative, system, and web access logs
- File integrity or configuration change records for appliance-hosted scripts, especially legitimate Perl scripts where available
- Network traffic metadata involving the VPN server, including HTTP/S sessions and unusual external destinations
- Proxy, firewall, or network security logs showing web protocol communications to or from the appliance
- Evidence of file transfer to the appliance or from the appliance into the environment
Detection direction
- Validate that network devices, not just endpoints, are covered by log collection and investigation workflows.
- Baseline legitimate VPN appliance web traffic so abnormal web protocol command-and-control patterns can be triaged without relying only on signatures.
- Compare appliance scripts and configurations against trusted versions to identify unauthorized modification consistent with web shell persistence.
- Review for encoded content or decoded artifacts in appliance traffic and files, while accounting for legitimate web application encoding that may create false positives.
- Correlate suspected script changes with external web access, file transfer indicators, and administrative activity to reduce noise.
Mitigation priorities
- Maintain an authoritative inventory of Pulse Secure VPN and other remote-access network devices, including software versions and ownership.
- Include these appliances in vulnerability management and emergency patch governance, especially for externally exposed remote-access infrastructure.
- Use vendor-supported hardening, configuration review, and integrity validation for appliance files and scripts.
- Restrict and monitor administrative access to VPN appliances, with strong change control for configuration and file modifications.
- Ensure incident response plans include evidence preservation and recovery procedures for network devices, not only workstations and servers.
Analyst notes and limits
The relationship set is important: STEADYPULSE is not just a named malware entry, but is tied to web shell persistence, web-based command-and-control, file transfer, encoding, and decoding behaviors. That makes defensive value depend heavily on appliance visibility, trusted file baselines, and network inspection around remote-access infrastructure. The official description references activity against US Defense Industrial Base entities, but that should be treated as historical source context, not as evidence of current targeting for any specific organization.
ATT&CK does not provide official detection text, aliases, labels, or malware tactics for this object. The only platform listed for the software is Network Devices. Any assessment of exposure, exploitation, attribution, or detection coverage requires local environment data, vendor advisories, appliance versions, and retained telemetry.
STEADYPULSE
STEADYPULSE is a web shell that infects targeted Pulse Secure VPN servers through modification of a legitimate Perl script that was used as early as 2020 including in activity against US Defense Industrial Base (DIB) entities.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1132.001 | Standard Encoding Sub-technique | STEADYPULSE can transmit URL encoded data over C2.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1505.003 | Web Shell Sub-technique | STEADYPULSE is a web shell that can enable the execution of arbitrary commands on compromised web servers.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | STEADYPULSE can URL decode key/value pairs sent over C2.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | STEADYPULSE can parse web requests made to a targeted server to determine the next stage of execution.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | STEADYPULSE can add lines to a Perl script on a targeted server to import additional Perl modules.CitationMandiant Pulse Secure Zero-Day April 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | a150681c0ed7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Pulse Secure Zero-Day April 2021
Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
Open source URL -
[2]
mitre-attack S1112Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.