A threat activity cluster has been observed targeting fully-patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances as part of a campaign designed to drop a backdoor called OVERSTEP.
The malicious activity, dating back to at least October 2024, has been attributed by the Google Threat Intelligence Group (GTIG) to a group it tracks as UNC6148. The number of known victims is “limited” at this stage.
The tech giant assessed with high confidence that the threat actor is “leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates.”
“Analysis of network traffic metadata records suggests that UNC6148 may have initially exfiltrated these credentials from the SMA appliance as early as January 2025.”
The exact initial access vector used to deliver the malware is currently not known due to the steps taken by the threat actors to remove log entries. But it’s believed that access may have been gained through the exploitation of known security flaws such as CVE-2021-20035, CVE-2021-20038, CVE-2021-20039, CVE-2024-38475, or CVE-2025-32819.
Alternately, the tech giant’s threat intelligence team theorized that the administrator credentials could’ve been obtained through information-stealing logs or acquired from credential marketplaces. However, it said it didn’t find any evidence to back up this hypothesis.
Upon gaining access, the threat actors have been found to establish an SSL-VPN session and spawn a reverse shell, although how this was achieved remains a mystery given that shell access should not be possible by design on these appliances. It’s believed that it may have been pulled off by means of a zero-day flaw.
The reverse shell is used to run reconnaissance and file manipulation commands, not to mention export and import settings to the SMA appliance, suggesting that UNC6148 may have altered an exported settings file offline to include new rules so that their operations are not interrupted or blocked by the access gateways.
The attacks culminate in the deployment of a previously undocumented implant named OVERSTEP that’s capable of modifying the appliance’s boot process to maintain persistent access, as well as credential theft and concealing its own components to evade detection by patching various file system-related functions.
This is achieved by implementing a usermode rootkit through the hijacked standard library functions open and readdir, allowing it to hide the artifacts associated with the attack. The malware also hooks into the write API function to receive commands from an attacker-controlled server in the form of embedded within web requests –
- dobackshell, which starts a reverse shell to the specified IP address and port
- dopasswords, which creates a TAR archive of the files /tmp/temp.db, /etc/EasyAccess/var/conf/persist.db, and /etc/EasyAccess/var/cert, and save it in the location “/usr/src/EasyAccess/www/htdocs/” so that it can be downloaded via a web browser
“UNC6148 modified the legitimate RC file ‘/etc/rc.d/rc.fwboot’ to achieve persistence for OVERSTEP,” GTIG said. “The changes meant that whenever the appliance was rebooted, the OVERSTEP binary would be loaded into the running file system on the appliance.”
Once the deployment step is complete, the threat actor then proceeds to clear the system logs and reboots the firewall to activate the execution of the C-based backdoor. The malware also attempts to remove the command execution traces from different log files, including httpd.log, http_request.log, and inotify.log.
“The actor’s success in hiding their tracks is largely due to OVERSTEP’s capability to selectively delete log entries [from the three log files],” Google said. “This anti-forensic measure, combined with a lack of shell history on disk, significantly reduces visibility into the actor’s secondary objectives.”
Google has evaluated with medium confidence that UNC6148 may have weaponized an unknown, zero-day remote code execution vulnerability to deploy OVERSTEP on targeted SonicWall SMA appliances. Furthermore, it’s suspected that the operations are carried out with the intent to facilitate data theft and extortion operations, and even ransomware deployment.
This connection stems from the fact that one of the organizations that was targeted by UNC6148 was posted on the data leak site operated by World Leaks, an extortion gang run by individuals previously associated with the Hunters International ransomware scheme. It’s worth noting that Hunters International recently shuttered its criminal enterprise.
According to Google, UNC6148 exhibits tactical overlaps with prior exploitation of SonicWall SMA devices observed in July 2023 that involved an unknown threat actor deploying a web shell, a hiding mechanism, and a way to ensure persistence across firmware upgrades, per Truesec.
The exploitation activity was subsequently linked by security researcher Stephan Berger to the deployment of the Abyss ransomware.
The findings once again highlight how threat actors are increasingly focusing on edge network systems that aren’t usually covered by common security tools like Endpoint Detection and Response (EDR) or antivirus software and slip into target networks unnoticed.
“Organizations should acquire disk images for forensic analysis to avoid interference from the rootkit anti-forensic capabilities. Organizations may need to engage with SonicWall to capture disk images from physical appliances,” Google said.
