A threat actor that may be financially motivated has been targeting SonicWall appliances with a new piece of malware, Google’s Threat Intelligence Group warned on Wednesday.
The threat actor, tracked by Google as UNC6148, has been around since at least October 2024. The hackers’ malware can enable data theft, extortion and ransomware deployment, but the researchers have not been able to definitively confirm that they are financially motivated.
It’s worth noting that the lines between state-sponsored hacker attacks and financially motivated cybercrime have become increasingly blurry.
UNC6148 has been observed targeting SonicWall’s Secure Mobile Access (SMA) 100 series remote access appliances. Google’s Threat Intelligence Group is aware of a limited number of targeted organizations and it has been unable to determine the initial access vector.
According to investigations conducted as part of incident response engagements by Google’s Mandiant unit, the compromised SonicWall devices had been fully patched. However, the researchers do not believe that a SonicWall SMA 100 zero-day has been exploited for initial access.
Instead, they believe the attackers previously exploited one of several known vulnerabilities to obtain local administrator credentials that could later be used to access the devices, even if they had been fully patched in the meantime.
UNC6148 had plenty of vulnerabilities to choose from to obtain admin credentials for the targeted SMA appliance, including CVE-2025-32819, CVE-2024-38475, CVE-2021-20035, CVE-2021-20038, and CVE-2021-20039. All of these security holes are known to have been exploited in the wild.
With the obtained credentials, the attackers established an SSL-VPN session on the targeted SMA appliance and spawned a reverse shell.
“Shell access should not be possible by design on these appliances, and Mandiant’s joint investigation with the SonicWall Product Security Incident Response Team (PSIRT) did not identify how UNC6148 established this reverse shell,” Google explained. “It’s possible the reverse shell was established via exploitation of an unknown vulnerability by UNC6148.”
After performing reconnaissance on the compromised system, the attackers deployed previously unknown malware that has been named Overstep.
The malware has been described as a persistent backdoor and user-mode rootkit that can covertly modify the compromised device’s boot process for persistence. Overstep enables the theft of credentials, session tokens and one-time password seeds.
However, the threat actor’s efforts to cover its tracks, including through the removal of log files, has prevented the Google researchers from identifying notable activities on compromised devices.
While there is no clear evidence that the attackers are attempting to monetize their access to hacked SonicWall devices, the researchers have found some links to World Leaks, the successor of the Hunters International ransomware operation, as well as ties to other ransomware. It’s not uncommon for SonicWall devices to be targeted by ransomware groups.
Google has shared indicators of compromise (IoCs) and detection rules to help organizations identify and block potential UNC6148 attacks.
Related: SonicWall Firewall Vulnerability Exploited After PoC Publication
Related: New Interlock RAT Variant Distributed via FileFix Attacks
Related: Threat Actors Use SVG Smuggling for Browser-Native Redirection
