Google spots tailored backdoor malware aimed at SonicWall appliances

Threat actors are stealing sensitive data from organizations by breaching end-of-life appliances made by cybersecurity company SonicWall. 

Incident responders from Google Threat Intelligence Group (GTIG) and Mandiant said on Wednesday that they have uncovered an ongoing campaign by an unidentified threat group that leverages credentials and one-time password (OTP) seeds stolen during previous intrusions — allowing the hackers to regain access to organizations even after security updates are installed. 

A Google spokesperson said the company does not have enough data to determine where the threat actors are based, what their motives are or how many total victims there are. The researchers refer to the group as UNC6148 in the report on the campaign, which they said dates back to October 2024. 

Google said the actors may be financially motivated because at least one organization targeted in May was eventually posted on the "World Leaks" data-leak site in June and other past activity surfaced links to the Abyss ransomware gang. But the researchers warned that they “cannot rule out coincidental overlap at this time.”

The campaign is targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. Google explained that the malware the hackers are using removes log entries, making it difficult to figure out how they initially gained access to a system. 

SonicWall did not respond to Record Future News’ request for comment, but Google said it worked with the company’s Product Security Incident Response Team to investigate several incidents. 

Google said the campaign extends beyond the incidents they investigated directly and added that SonicWall has “confirmed reports of other impacted organizations.” The company noted that SonicWall updated an advisory for a bug tracked as CVE-2024-38475 in light of Google’s findings. 

"As an added security measure, we strongly advise customers to reset the OTP (One-Time Password) binding for all users. This step ensures that any potentially compromised or stale OTP secrets are invalidated, thereby mitigating unauthorized access risks,” SonicWall said in the update to the advisory.. 

Overstepping

One novel aspect of the campaign is the use of a backdoor called OVERSTEP, which modifies the SonicWall appliance’s boot process to maintain persistent access, steal sensitive credentials and conceal the malware’s own components.

Incident responders struggled to track other activities by the hackers because OVERSTEP allowed them to delete logs and largely cover their tracks. 

OVERSTEP is specifically designed for SonicWall SMA 100 series appliances, according to Google.

In addition to CVE-2024-38475, Google and Mandiant experts floated several potential vulnerabilities the hackers may have used to gain initial access, including CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039 and, CVE-2025-32819. 

Beyond those, Google theorized that the hackers may have used an unknown zero-day vulnerability to deploy the malware on targeted SonicWall SMA appliances.

“Mandiant's first observations of UNC6148 in a recent investigation showed that they already had local administrator credentials to the targeted SMA 100 series appliance, and no forensic evidence nor other data was identified to show how those credentials were obtained,” the report said. 

“GTIG assesses with high confidence that UNC6148 exploited a known vulnerability to steal administrator credentials prior to the targeted SMA appliance being updated to the latest firmware version, based on the patching timeline and public reporting of SonicWall n-day exploitation activity throughout 2025.” 

The hackers subsequently took steps to make sure they would have “privileged and persistence control of the appliance” through OVERSTEP. 

“While we did not directly observe the weaponization of this stolen data, it creates a clear path for persistent access,” the researchers said.