Google Alerts on OVERSTEP Backdoor Targeting SonicWall SMA Devices

Edward Zhou
Edward Zhou

CEO & Founder

 
July 17, 2025 3 min read

Exploitation of SonicWall SMA 100 Appliances by UNC6148

Overview of Malicious Activity

The Google Threat Intelligence Group (GTIG) has identified a continuous campaign targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. The threat actor, referred to as UNC6148, exploits stolen credentials and one-time password (OTP) seeds to regain access to these devices even after security updates are applied. The campaign began at least as early as October 2024, with the actors leveraging known vulnerabilities, including CVE-2021-20035, CVE-2021-20038, CVE-2021-20039, CVE-2024-38475, and CVE-2025-32819.

SonicWall SMA 100 series appliances
Image courtesy of The Record from Recorded Future News

Deployment of OVERSTEP Backdoor

A novel aspect of the UNC6148 campaign is the deployment of a backdoor named OVERSTEP. This malware modifies the boot process of the SonicWall appliance, allowing for persistent access, credential theft, and concealment of its components. The malware is specifically designed for the SMA 100 series, which has reached end-of-life status. The GTIG suspects that UNC6148 may have utilized an unknown zero-day remote code execution vulnerability to execute OVERSTEP on targeted devices.

Mandiant's analysis shows that UNC6148 first established an SSL-VPN session using stolen local administrator credentials before spawning a reverse shell. This access is atypical for the appliance's design, suggesting the use of advanced techniques or unknown vulnerabilities.

Cyber Security Data Breach Protection
Image courtesy of Cybersecurity Dive

Attack Vector and Techniques

The initial entry point for UNC6148 remains unclear, but it is believed that they might have utilized known vulnerabilities to exploit the devices. The malware is designed to erase log entries, complicating forensic investigations and making it difficult to trace the origin of the breach.

According to reports, organizations receiving the attacks are advised to reset OTP bindings to mitigate unauthorized access. SonicWall has confirmed that they are actively investigating the incidents and providing updates to their customers.

Persistence and Evasion Techniques

OVERSTEP incorporates user-mode rootkit capabilities that allow it to hide its components and activities on the compromised appliances. It modifies essential system files and hooks API functions to prevent detection. For example, the malware hijacks the open and readdir functions to conceal its presence from directory listings.

The primary commands executed by OVERSTEP include:

  • dobackshell: Initiates a reverse shell connection to the attacker's server.
  • dopasswords: Archives sensitive files for exfiltration.

Recommended Actions for Organizations

Organizations using SonicWall SMA appliances should undertake immediate investigations to ascertain if they have been compromised. Key recommendations include:

  • Acquiring disk images for forensic analysis.
  • Resetting all credentials, including passwords and OTP bindings.
  • Engaging with SonicWall for guidance on mitigating the threat.

Researchers emphasize the importance of analyzing disk images for indicators of compromise and taking swift actions to contain and eradicate any threats detected.

For further information on the findings and recommendations, refer to the full reports by the Google Threat Intelligence Group and associated cybersecurity firms.

Explore our services and stay protected against evolving threats. Contact us at [undefined] or visit [undefined] for more information.

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article