Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor
July 18, 2025, 8:26 a.m.
Description
A financially-motivated threat actor, UNC6148, is targeting fully patched end-of-life SonicWall SMA 100 series appliances. They are using stolen credentials and OTP seeds from previous intrusions to regain access. The actor has deployed a new persistent backdoor/user-mode rootkit called OVERSTEP, which modifies the appliance's boot process, steals credentials, and conceals itself. UNC6148 may be using an unknown zero-day vulnerability for deployment. The campaign, ongoing since October 2024, aims at data theft, extortion, and possibly ransomware deployment. OVERSTEP's functionality includes establishing reverse shells, exfiltrating passwords, and implementing usermode rootkit capabilities. Organizations are advised to rotate all credentials and follow provided recommendations to mitigate the threat.
Tags
Date
- Created: July 18, 2025, 7:34 a.m.
- Published: July 18, 2025, 7:34 a.m.
- Modified: July 18, 2025, 8:26 a.m.
Indicators
- f0e0db06ca665907770e2202957d3eccd5a070acac1debaf0889d0d48c10e149
- b28d57269fe4cd90d1650bde5e9056116de26d211966262e59359d0e2a67d473
- 64.52.80.80
- 193.149.180.50
Attack Patterns
Additional Informations
- G_Backdoor_OVERSTEP_1