Introduction
Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
In this new wave of activity, the actor has deployed a previously unknown persistent backdoor/user-mode rootkit, which GTIG tracks as OVERSTEP. Based on findings from Mandiant Incident Response engagements, our analysis shows this malware modifies the appliance’s boot process to maintain persistent access, steal sensitive credentials, and conceal its own components. GTIG assesses with moderate confidence that UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on opportunistically targeted SonicWall SMA appliances.
GTIG assesses with moderate confidence that UNC6148’s operations, dating back to at least October 2024, may be to enable data theft and extortion operations, and possibly ransomware deployment. An organization targeted by UNC6148 in May 2025 was posted to the “World Leaks” data leak site (DLS) in June 2025, and UNC6148 activity overlaps with publicly reported SonicWall exploitation from late 2023 and early 2024 that has been publicly linked to the deployment of Abyss-branded ransomware (tracked by GTIG as VSOCIETY).
Given the risk of recompromise using previously stolen credentials, organizations should follow the recommendations within this post to hunt for potential compromises and rotate all credentials, even if their appliances are fully patched. This blog post provides technical details on the OVERSTEP rootkit and the UNC6148 campaign to aid defenders in mitigating this threat.
Initial SMA Exploitation to Gain Administrator Credentials
Mandiant’s first observations of UNC6148 in a recent investigation showed that they already had local administrator credentials to the targeted SMA 100 series appliance, and neither forensic evidence nor other data was identified to show how those credentials were obtained. GTIG assesses with high confidence that UNC6148 exploited a known vulnerability to steal administrator credentials prior to the targeted SMA appliance being updated to the latest firmware version (10.2.1.15-81sv), based on the patching timeline and public reporting of SonicWall n-day exploitation activity throughout 2025. Analysis of network traffic metadata records suggests that UNC6148 may have initially exfiltrated these credentials from the SMA appliance as early as January 2025.
Public reporting from SonicWall and multiple security firms has highlighted several different vulnerabilities that could possibly have been exploited by UNC6148:
-
CVE-2021-20038: Unauthenticated remote code execution (SonicWall advisory, Truesec report, AttackerKB entry)
-
This is a memory corruption vulnerability that can be executed to gain code execution; however, Rapid7’s public exploit can make up to 200,000 HTTP requests and could take over an hour to execute, suggesting a widespread campaign may not take advantage of this vulnerability.
-
Truesec identified this as a plausible entrypoint for intrusion activity they observed in late 2023 targeting a SonicWall SMA.
-
CVE-2024-38475: Unauthenticated path traversal vulnerability in Apache HTTP Server, which affected the SMA 100 series (SonicWall advisory, Orange CyberDefense/SCRT blog post)
-
This can be exploited on the SMA 100 series specifically to exfiltrate two different SQLite databases,
temp.dbandpersist.db, which store sensitive information including user account credentials, session tokens, and OTP seed values. -
watchTowr published a blog post in May 2025 describing how this vulnerability can be chained with another bug, CVE-2023-44221, to compromise an SMA 100 series appliance; however, we did not identify any evidence suggesting this bug chain was used by UNC6148.
-
CVE-2021-20035: Authenticated remote code execution vulnerability (SonicWall advisory, ArcticWolf report)
-
This is a command injection vulnerability in the handler for
/cgi-bin/sitecustomizationPOST requests. -
Arctic Wolf and SonicWall reported on this vulnerability being exploited in the wild in April 2025.
-
CVE-2021-20039: Authenticated remote code execution vulnerability (SonicWall advisory, dfir.ch blog post, AttackerKB entry)
-
This is a command injection vulnerability in the request handler for
/cgi-bin/viewcert. -
dfir.ch reported this vulnerability being used to exploit SonicWall SMAs in an intrusion that led to the deployment of Abyss-branded ransomware in March 2024, with similar intrusion artifacts to Mandiant’s investigation.
-
CVE-2025-32819: Authenticated file deletion vulnerability (SonicWall advisory, Rapid7 report)
-
Using a crafted HTTP request, this vulnerability can be exploited to cause a targeted SonicWall SMA to revert the built-in administrator credentials to
password, granting the attacker administrator access.
There are several different paths UNC6148 could have taken with the aforementioned vulnerabilities, or possibly a different vulnerability not mentioned here. CVE-2024-38475 would have provided local administrator credentials and valid session tokens that UNC6148 could reuse, making it an attractive target, but Mandiant was not able to confirm abuse of that vulnerability. Exploitation of the previously mentioned authenticated bugs would require UNC6148 to already have some level of credentials to the SMA appliance, making them less likely to have been abused, but still worth mentioning due to their in-the-wild exploited status. It is also possible that credentials could have been obtained through infostealer logs or credential marketplaces, but GTIG was unable to identify any direct credential exposure related to the abused SMA appliance credentials.
Subsequent SMA Compromise and OVERSTEP Deployment
Mandiant’s aforementioned investigation showed that in June 2025, UNC6148 established a Secure Sockets Layer virtual private network (SSL VPN) session on the targeted SMA 100 series appliance using the mentioned local administrator credentials from a BitLaunch (BLNWX) VPS (193.149.180.50).
Once the SSL VPN session was established, the attacker spawned a reverse shell on the targeted SMA appliance. Shell access should not be possible by design on these appliances, and Mandiant’s joint investigation with the SonicWall Product Security Incident Response Team (PSIRT) did not identify how UNC6148 established this reverse shell. It’s possible the reverse shell was established via exploitation of an unknown vulnerability by UNC6148.
Through the reverse shell, UNC6148 performed initial reconnaissance and file manipulation using a variety of built-in system binaries such as cat, chmod, cp, date, hostname, mkdir, mount, mv, and rm. Mandiant also observed the actor export and import settings to the SMA appliance, along with new network access control policy rules created for IP addresses used by UNC6148, suggesting they may have modified an exported settings file offline to include new rules for their infrastructure to ensure uninterrupted operations.
Following this initial activity, the attacker deployed the OVERSTEP backdoor. This process involved executing a series of commands to decode the binary from Base64 into the persistent /cf directory with the filename xxx.elf, moving it to /usr/lib/libsamba-errors.so.6, and ensuring persistence by adding its path to /etc/ld.so.preload.