A threat actor identified as UNC6148 has been using a newly discovered malware strain called OVERSTEP to compromise SonicWall Secure Mobile Access (SMA) devices that, while fully patched, are no longer supported.
The malware operates as a user-mode rootkit that enables attackers to hide malicious files, maintain long-term access, and extract sensitive credentials. Google’s Threat Intelligence Group (GTIG) reported that the malware modifies the device’s boot process and may have been delivered through a previously unknown zero-day remote code execution flaw.
UNC6148 has been active since at least October 2024, with evidence of recent activity as of May 2025. Some of the data stolen in these operations later surfaced on the World Leaks site, a platform linked to the Hunters International group, suggesting that the attackers engage in both data theft and extortion. GTIG also believes they may deploy Abyss ransomware, which it tracks under the name VSOCIETY.
The attackers appear to be targeting SonicWall SMA 100 Series appliances that offer secure remote access to enterprise environments. These devices have reached end-of-life status, making them more vulnerable to exploitation.
Although it is not fully clear how UNC6148 initially gained access, the attackers possessed local administrator credentials for the targeted devices. GTIG found indications that the credentials may have been compromised as far back as January 2025. The threat actor could have exploited several known vulnerabilities, including CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. CVE-2024-38475 is of particular interest, as it could grant access to administrator credentials and valid session tokens, although this remains unconfirmed.
In one case observed in June, UNC6148 connected to an SMA device via an SSL-VPN session using the stolen credentials and launched a reverse shell, despite such access not being possible by design. SonicWall’s Product Security Incident Response Team (PSIRT) could not determine how this occurred, suggesting that an unknown vulnerability may have been used.
Once inside, the attackers performed system reconnaissance, manipulated files, and changed network policies to whitelist their IP addresses. They then deployed the OVERSTEP rootkit by decoding a base64 binary and planting it as a .ELF file. This rootkit opened a reverse shell, stole credentials, and remained hidden by loading malicious code with each execution of dynamic binaries.
OVERSTEP also includes anti-forensic features that let attackers delete specific log entries to avoid detection. These capabilities, along with the absence of command history, made it difficult for researchers to analyze UNC6148’s full activity after gaining access.
GTIG warns that the rootkit can steal critical files such as persist.db and certificate data, exposing credentials, one-time password seeds, and other security information that could ensure continued access.
Although the group’s ultimate goals remain unclear, GTIG points to significant similarities between UNC6148’s behavior and past incidents involving Abyss ransomware. For instance, researchers from Truesec and InfoGuard AG reported attacks in late 2023 and early 2024 in which Abyss ransomware was deployed after compromising SMA appliances through persistent web shells and hidden malware.
The overlapping tactics suggest UNC6148 may be behind those events as well.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
