The attackers are **actively exploiting** this vulnerability through a well defined kill chain that permits to:
* Trojanize shared objects with malicious code to **log credentials** and **bypass authentication** flows, including multifactor authentication requirements. We track these trojanized assemblies as SLOWPULSE and its variants.
* **Inject webshells** we currently track as RADIALPULSE and PULSECHECK into legitimate Internet-accessible Pulse Secure VPN appliance administrative web pages for the devices.
* **Toggle** the filesystem between Read-Only and **Read-Write** modes to allow for file modification on a typically Read-Only filesystem.
* Maintain **persistence** across VPN appliance general upgrades that are performed by the administrator.
* Unpatch modified files and delete utilities and scripts after use to **evade detection**.
* **Clear relevant log** files utilizing a utility tracked as THINBLOOD based on an actor defined regular expression.