Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Chinese Cyberspies are Targeting US, EU Orgs With New Malware

Chinese Cyberspies are Targeting US, EU Orgs With New Malware

Chinese threat groups continue to deploy new malware strains on the compromised network of dozens of US and EU organizations after exploiting vulnerable Pulse Secure VPN appliances.

As FireEye threat analysts revealed last month, state-sponsored threat actors were exploiting a recently patched zero-day in the Pulse Connect Secure gateways.

After compromising the targeted devices, they deployed malware to maintain long-term access to networks, collect credentials, and steal proprietary data.

“We now assess that espionage activity by UNC2630 and UNC2717 supports key Chinese government priorities,” FireEye said in a follow-up report published on Thursday.

“Many compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives outlined in China’s recent 14th Five Year Plan.”

New malware deployed on US, EU orgs’ networks

In the previous report, FireEye mentioned 12 malware families found on and specifically designed to infect Pulse Secure VPN appliances.

According to FireEye’s threat analysts, the malware used by the Chinese cyberspies before issuing the first report includes:

  • UNC2630 targeted US DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021.
  • UNC2717 targeted global government agencies between October 2020 and March 2021 using HARDPULSE, QUIETPULSE, AND PULSEJUMP.

Since then, FireEye discovered that the UNC2630 Chinese threat actors installed the following four more malware strains, bringing the total to 16 malware families custom-tailored for compromising Pulse Secure VPN appliances.

Also Read: 4 Best Practices on How to Use SkillsFuture Credit

Malware FamilyDescription
BLOODMINE is a utility for parsing Pulse Secure Connect log files. It extracts information related to logins, Message IDs and Web Requests and copies the relevant data to another file.
BLOODBANK is a credential theft utility that parses two files containing password hashes or plaintext passwords and expects an output file to be given at the command prompt.
CLEANPULSE is a memory patching utility that may be used to prevent certain log events from occurring. It was found in close proximity to an ATRIUM webshell.
RAPIDPULSE is a webshell capable of arbitrary file read. As is common with other webshells, RAPIDPULSE exists as a modification to a legitimate Pulse Secure file. RAPIDPULSE can serve as an encrypted file downloader for the attacker.

FireEye is still collecting evidence and responding to more incidents linked to  Pulse Secure VPN appliance compromises at US and European organizations across several verticals, including defense, government, high tech, transportation, and financial sectors.

“Targets of Chinese cyber espionage operations are often selected for their alignment with national strategic goals, and there is a strong correlation between pillar industries listed in policy white papers and targets of Chinese cyber espionage activity,” the threat analysts said.

Attack distribution
Attack distribution (FireEye)

Signs of threat actors cleaning up their tracks

While investigating these attacks, FireEye also discovered evidence that the threat actors kept track of the company’s research.

As the analysts found, before FireEye’s first report on UNC2630 and UNC2717, the threat actors began removing their malware from some of the compromised systems.

“Between April 17th and 20th, 2021, Mandiant incident responders observed UNC2630 access dozens of compromised devices and remove webshells like ATRIUM and SLIGHTPULSE,” the researchers said.

“It is unusual for Chinese espionage actors to remove a large number of backdoors across several victim environments on or around the time of public disclosure. This action displays an interesting concern for operational security and a sensitivity to publicity.”

“Both UNC2630 and UNC2717 display advanced tradecraft and go to impressive lengths to avoid detection. The actors modify file timestamps and regularly edit or delete forensic evidence such as logs, web server core dumps, and files staged for exfiltration.”

Also Read: 3 Reasons Why You Must Take a PDPA Singapore Course

CISA also updated the alert regarding the exploitation of Pulse Connect Secure vulnerabilities to include the new techniques, tactics, and procedures (TTPs) and indicators of compromise (IOCs) discovered by FireEye.

The US federal agency also updated the mitigation measures and urges organizations that find evidence of exploitation on their networks to check the guidance published by Ivanti, Pulse Secure’s parent company.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us