S1113: RAPIDPULSE
RAPIDPULSE is a web shell that exists as a modification to a legitimate Pulse Secure file that has been used by APT5 since at least 2021.[1]
Analyst context for executives and security teams
RAPIDPULSE matters because it represents a web shell hidden as a modification to a legitimate Pulse Secure file on network device/Linux infrastructure. For leaders, the key issue is not just malware cleanup; it is whether internet-facing access infrastructure can be trusted, rebuilt, and monitored well enough after suspected compromise.
Executive priority
Prioritize RAPIDPULSE-related readiness where Pulse Secure or similar network access devices are business-critical. The ATT&CK context ties this malware to APT5 and to web shell persistence, local data collection, and obfuscation behaviors, so incident decisions should consider credential exposure, device integrity, and whether network edge appliances are included in logging, backup, rebuild, and audit evidence programs.
Technical view
Validate whether SOC and IR teams can inspect Pulse Secure-related file integrity on network devices/Linux systems, compare legitimate files against trusted baselines, and investigate anomalous web-access or administrative activity. Because ATT&CK provides no official detection text for RAPIDPULSE, detection engineering should be relationship-driven: T1505.003 Web Shell for persistence, T1005 Data from Local System for local collection, and T1027.013/T1140 for encoded or decoded artifacts that may obscure content.
Likely telemetry
- Network device and Linux filesystem integrity evidence for web-accessible and vendor application files
- Web server or appliance access logs showing unusual requests to legitimate-looking files
- Administrative login, configuration change, and device management logs
- Process execution or script invocation telemetry where available on the appliance or underlying Linux host
- Configuration backups, known-good images, and file hashes for comparison
Detection direction
- Confirm that edge network devices are in scope for monitoring; many SOC programs have weaker telemetry on appliances than on endpoints.
- Tune for unauthorized modification of legitimate Pulse Secure files rather than only newly created suspicious filenames.
- Correlate file changes with web requests, administrative activity, and any local data access indicators consistent with T1005.
- Account for obfuscation: encoded file content or decoded runtime artifacts may reduce the value of simple string matching.
- Use APT5 relationship context for threat intelligence prioritization, especially for organizations in sectors named in the related group description, without assuming local compromise.
Mitigation priorities
- Maintain trusted baselines and recoverable backups for network access appliances and their underlying file systems.
- Include VPN/network devices in patch, configuration management, logging, and incident response playbooks.
- Restrict and monitor administrative access to appliance management interfaces.
- When compromise is suspected, prioritize integrity validation and rebuild from trusted media over file-by-file cleanup alone.
- Preserve logs and file evidence before remediation to support incident scoping and compliance reporting.
Analyst notes and limits
The official object identifies RAPIDPULSE as a web shell modification to a legitimate Pulse Secure file and states it has been used by APT5 since at least 2021. Relationship context provides the strongest defensive framing: persistence through Web Shell, possible local data collection, and obfuscation/deobfuscation behaviors.
ATT&CK provides no official detection guidance, no aliases, and no object-level tactics for RAPIDPULSE. Local applicability depends on whether the environment uses relevant Pulse Secure/network device infrastructure and whether appliance-level telemetry is retained and accessible.
RAPIDPULSE
RAPIDPULSE is a web shell that exists as a modification to a legitimate Pulse Secure file that has been used by APT5 since at least 2021.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | RAPIDPULSE listens for specific HTTP query parameters in received communications. If specific parameters match, a hard-coded RC4 key is used to decrypt the HTTP query paremter |
| Enterprise | T1005 | Data from Local System | RAPIDPULSE retrieves files from the victim system via encrypted commands sent to the web shell.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1505.003 | Web Shell Sub-technique | RAPIDPULSE is a web shell that is capable of arbitrary file read on targeted web servers to exfiltrate items of interest on the victim device.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | RAPIDPULSE has the ability to RC4 encrypt and base64 encode decrypted files on compromised servers prior to writing them to stdout.CitationMandiant Pulse Secure Update May 2021 |
Groups, software, and campaigns
G1023: APT5
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 18105996be23… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Pulse Secure Update May 2021
Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
Open source URL -
[2]
mitre-attack S1113Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.