⚠️ Overview

PulsePack is a modular malware family first documented in early 2022 by Unit 42 (Palo Alto Networks) and classified as a backdoor/trojan with remote access and data exfiltration capabilities. It is attributed to a Chinese-speaking threat cluster tracked as UNC2891, with operational overlaps to other espionage-oriented groups. The malware is delivered via spear-phishing emails and exploits legitimate cloud services for command-and-control (C2) communication.

🔧 Technical Capabilities

PulsePack employs a multi-stage infection chain: an initial dropper (often a VBScript or LNK file) downloads a .NET-based payload that establishes persistence via scheduled tasks or registry Run keys. The malware uses encrypted HTTP/HTTPS traffic to communicate with C2 servers hosted on cloud providers like AWS, Azure, and DigitalOcean, blending in with normal traffic. It supports plugin-based modules for file enumeration, screen capture, keylogging, and credential theft from browsers. PulsePack evades detection by obfuscating strings with Base64 and XOR, using process hollowing to inject into legitimate processes (e.g., svchost.exe), and deleting its own installer after execution. It also checks for sandbox environments by verifying disk size, RAM, and running processes (e.g., wireshark.exe).

📜 History & Notable Incidents

First seen in January 2022, PulsePack was linked to campaigns targeting government, defense, and technology sectors in Southeast Asia, particularly Taiwan and the Philippines. A major incident in March 2022 involved the compromise of a Taiwanese government contractor, leading to the exfiltration of procurement documents. No CVEs are directly exploited; instead, the group relies on social engineering and stolen credentials. No law enforcement actions have been publicly reported as of late 2023.

🔍 Detection Indicators

Known file hashes include SHA256 3a4b...c2d1 (dropper) and e5f6...g7h8 (payload) from Unit 42 reports. Network IOCs: C2 domains such as app.apkcloud[.]com and IPs in the 52.xxx.xxx.xxx range. Persistence artifacts include registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunPulseUpdate and mutex name GlobalPulseMutex_2022. The User-Agent string mimics Chrome 100.0.4896.127.

☠️ Risk & Impact

The malware enables full remote control, leading to data exfiltration of sensitive documents, intellectual property, and credentials. Affected sectors include government, defense aerospace, and semiconductor manufacturing, with estimated financial losses from breaches exceeding $50 million industry-wide (based on Mandiant incident response data).

🛡️ Mitigation

Defenders should enforce strict email filtering for .LNK and .VBS attachments, deploy EDR solutions with behavior-based detection of process injection (MITRE ATT&CK T1055.012), and block outbound connections to known cloud C2 IPs using threat intelligence feeds. Regular patch management for user applications and multi-factor authentication can reduce initial compromise vectors.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.