SonicWall SMA devices persistently infected with stealthy OVERSTEP backdoor and rootkit

Unknown intruders are targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances and deploying a novel, persistent backdoor / rootkit, analysts with Google’s Threat Intelligence Group (GTIG) have warned.

The analysts say UNC6148 – as they dubbed the threat group – is likely financially motivated.

“An organization targeted by UNC6148 in May 2025 was posted to the ‘World Leaks’ data leak site (DLS) in June 2025, and UNC6148 activity overlaps with publicly reported SonicWall exploitation from late 2023 and early 2024 that has been publicly linked to the deployment of Abyss-branded ransomware (tracked by GTIG as VSOCIETY),” they noted.

SonicWall appliances saddled with malware

In this latest campaign, UNC6148 leveraged compromised local administrator credentials and possibly an unknown zero-day remote code execution vulnerability to deploy the OVERSTEP backdoor.

Google’s investigators have been unable to pinpoint how the attackers managed to obtain the admin credentials they used in the attack. It’s possible that they sourced them from infostealer logs or credential marketplaces, the GTIG experts noted, but it’s more likely that they’ve leveraged a known vulnerability prior to the targeted SMA appliance being updated to the latest firmware version.

(Which specific vulnerability was exploited for this part of the attack is currently unknown, though some have been mentioned as possibly used: CVE-2021-20035, CVE-2021-20039, CVE-2024-38475, or CVE-2025-32819.)

The attackers exfiltrated the credentials back in January 2025, and used them in June 2025 to establish an SSL VPN session to the targeted SMA appliance, then spawned a reverse shell – something that was deemed impossible due to how the appliances are designed.

Google’s incident response arm Madiant and the SonicWall Product Security Incident Response Team (PSIRT) still don’t know how the attackers established this reverse shell, and posit that the action was made possible by exploiting an unknown vulnerability.

Through the reverse shell, the threat actors:

• Performed reconnaissance
• Performed file manipulation
• Exported settings from the SMA appliance, (apparently) modified them to include new rules for their infrastructure to ensure uninterrupted operations, and imported them back to the SMA appliance
• Deployed the OVERSTEP backdoor
• Assured the backdoor’s persistence by hiding a file and modifying another legitimate file on the system

“Once the deployment of OVERSTEP was complete, the threat actor cleared the system logs and rebooted the firewall to trigger the execution of OVERSTEP. The changes [made] meant that whenever the appliance was rebooted, the OVERSTEP binary would be loaded into the running filesystem on the appliance,” the analysts explained.

Have your SonicWall devices been compromised?

The OVERSTEP backdoor:

• Hijacks standard API functions
• Establishes a reverse shell
• Exfiltrates passwords from the compromised host
• Implements usermode rootkit capabilities and attempts to delete select entries from log files to hide its presence and its components
• Receives commands embedded within web requests

The malware’s capabilities allowed the attackers to hide what (if anything) they did on the system after they compromised the appliance.

“The primary risk stems from OVERSTEP’s functionality to steal sensitive files. Its ability to exfiltrate the persist.db database and certificate files from the /etc/EasyAccess/var/cert directory gives the attacker credentials, OTP seeds, and certificates. While we did not directly observe the weaponization of this stolen data, it creates a clear path for persistent access,” the analysts said.

They’ve shared host and network-based indicators of compromise (IoCs) related to this campaing and urged defenders to analyze disk images and peripheral log sources for signs of compromise.

“If evidence of compromise is detected, organizations should take immediate steps to contain the threat,” they noted, and advised isolating the appliance(s), preserving disk images and telemetry for a full forensic investigation and, if needed, calling in incident responders to help with the investigation.

Finally, they should consider all user credentials and certificates with private keys stored on the appliance compromised, and should reset / revoke / reissue them.

SonicWall comments

“SonicWall is aware of the recent report by Google Threat Intelligence Group (GTIG) identifying an active campaign targeting SMA 100 series appliances. We’ve been working closely with GTIG throughout this process and appreciate their responsible disclosure and continued partnership in protecting customers and the broader security community,” a SonicWall representative told Help Net Security.

“In response to the evolving threat landscape—and in alignment with our commitment to transparency and customer protection—SonicWall will accelerate the end-of-support date for the SMA 100 series from October 1, 2027, to December 31, 2025. The SMA 100 has already reached end-of-sale status, as reflected in our Product Lifecycle Table, and this update aligns with our long-term strategy and industry direction.”

They also noted that SonicWall has been actively guiding customers toward more modern, secure solutions such (e.g. the Cloud Secure Edge service and the SMA 1000 series), and that detailed migration guidance to SonicWall’s Zero Trust solutions will be shared with customers and partners in the coming weeks.

“We understand that not all customers have transitioned yet, and we remain committed to supporting existing SMA 100 deployments with firmware updates throughout the remaining lifecycle. These updates may become more frequent as we prioritize risk mitigation and the ongoing protection of our user base,” they added.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!