A risk actor has been deploying a beforehand unseen malware known as OVERSTEP that modifies the boot technique of fully-patched however not supported SonicWall Safe Cell Entry home equipment.
The backdoor is a user-mode rootkit that enables hackers to cover malicious parts, preserve persistent entry on the system, and steal delicate credentials.
Researchers at Google Risk Intelligence Group (GTIG) noticed the rootkit in assaults which will have relied on “an unknown, zero-day distant code execution vulnerability”.
The risk actor is tracked as UNC6148 and has been working since a minimum of final October, with a company being focused as lately as Might.
As a result of information stolen from the sufferer have been later printed on the World Leaks (Hunters Worldwide rebrand) data-leak website, GTIG researchers imagine that UNC6148 engages in knowledge theft and extortion assaults, and might also deploy Abyss ransomware (tracked as VSOCIETY by GTIG).
Hackers come ready
The hackers are focusing on end-of-life (EoL) SonicWall SMA 100 Sequence gadgets that present safe distant entry to enterprise sources on the native community, within the cloud, or hybrid datacenters.
It’s unclear how the hackers obtained preliminary entry, however researchers investigating UNC6148 assaults observed that the risk actor already had native administrator credentials on the focused equipment.
“GTIG assesses with excessive confidence that UNC6148 exploited a identified vulnerability to steal administrator credentials previous to the focused SMA equipment being up to date to the most recent firmware model (10.2.1.15-81sv)” – Google Risk Intelligence Group
Trying on the community site visitors metadata, the investigators discovered proof suggesting that UNC6148 had stolen the credentials for the focused equipment in January.
A number of n-day vulnerabilities (CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, CVE-2025-32819) might have been exploited to this impact, the oldest of them disclosed in 2021 and the newest being from Might 2025.
Of those, the hackers could have exploited CVE-2024-38475 because it gives “native administrator credentials and legitimate session tokens that UNC6148 might reuse.”
Nonetheless, incident responders at Mandiant (a Google firm) couldn’t affirm that the attacker exploited the vulnerability.
Reverse-shell thriller
In an assault in June, UNC6148 used the native admin credentials to hook up with the focused SMA 100 sequence equipment over an SSL-VPN session.
The hackers began a reverse shell, though shell entry shouldn’t be attainable by design on these home equipment.
SonicWall’s Product Safety Incident Response Crew (PSIRT) tried to find out how this was attainable however couldn’t provide you with an evidence, and one reply might be the exploitation of an unknown safety problem.
With shell entry on the equipment, the risk actor ran reconnaissance and file manipulation actions, and imported settings that included new community entry management coverage guidelines to permit the hacker’s IP addresses.
OVERSTEP rootkit leaves no clues
After this, UNC6148 deployed the OVERSTEP rootkit by way of a sequence of instructions that decoded the binary from base64 and planted it as a .ELF file.
“Following the set up, the attacker manually cleared the system logs earlier than restarting the equipment, activating the OVERSTEP backdoor” – Google Risk Intelligence Group
OVERSTEP acts as a backdoor that establishes a reverse shell and steals passwords from the host. It additionally implements user-mode rootkit capabilities to maintain its parts hidden on the host.
The rootkit element gave the risk actor long-term persistence by loading and executing malicious code every time a dynamic executable begins.
OVERSTEP’s anti-forensic function lets the attacker selectively delete log entries and thus cowl their tracks. This functionality and the shortage of command historical past on disk denied researchers’ visibility within the risk actor’s post-compromise actions.
Nonetheless, GTIG warns that OVERSTEP can steal delicate information such because the persist.db database and certificates information, which give hackers entry to credentials, OTP seeds, and certificates that permit persistence.
Whereas researchers can’t decide the true function of UNC6148’s assaults, they spotlight “noteworthy overlaps” on this risk actor’s exercise and evaluation of incidents the place Abyss-related ransomware was deployed.
In late 2023, Truesec researchers investigated an Abyss ransowmare incident that occurred after hackers deployed an online shell on an SMA equipment, hiding mechanism, and established persistence throughout firmware updates.
Just a few months later in March 2024, InfoGuard AG incident responder Stephan Berger printed a put up describing an identical compromise of an SMA system that ended with the deployment of the identical Abyss malware.
Organizations with SMA home equipment are really helpful to examine the gadgets for potential compromise by buying disk pictures, which ought to forestall interference from the rootkit.
GTIG gives a set of indicators of compromise together with the indicators analysts ought to search for to find out if the system was hacked.
Whereas cloud assaults could also be rising extra refined, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key methods utilized by cloud-fluent risk actors.
