SonicWall SMA 100 Devices Under Persistent Attack: UNC6148 Deploys Stealthy OVERSTEP Rootkit
Attacks targeting outdated SonicWall SMA 100 devices have once again exposed the fragility of network perimeters often overlooked by conventional security systems. According to the Google Threat Intelligence Group (GTIG), a targeted campaign employing the OVERSTEP malware began as early as October 2024 and was orchestrated by the hacking collective UNC6148. The attacks enabled persistent control over devices—even those with the latest security patches installed.
At the heart of the compromise lies the use of previously stolen credentials and one-time passwords. These may have been exfiltrated from SMA devices as early as January 2025, granting attackers the ability to regain access even after administrators remedied known vulnerabilities. The precise initial entry point remains unclear, as all logs had been wiped. Suspected vectors include vulnerabilities CVE-2021-20035, CVE-2021-20038, CVE-2021-20039, CVE-2024-38475, and CVE-2025-32819. The possibility of credential purchases on dark markets has also been floated, though no concrete evidence supports this theory.
Once inside, the attackers initiated an SSL-VPN session and established a reverse shell—an action not possible in standard device configurations, strongly indicating the exploitation of a previously unknown zero-day vulnerability. Through the reverse shell, they scanned the system and downloaded/uploaded device settings. Experts believe the attackers manipulated exported configuration files offline, injecting malicious rules designed to evade detection or disruption during future updates.
The final phase of the intrusion involved deploying the previously undocumented implant, OVERSTEP. This sophisticated malware tampers with the device’s boot process to maintain persistence, conceal its presence, and exfiltrate sensitive data. It operates as a user-mode rootkit, intercepting standard library functions such as open and readdir to hide its artifacts. It also hooks the write function to receive command-and-control instructions embedded within web requests.
These commands include dobackshell—to reestablish a reverse shell—and dopasswords—to create an archive of sensitive files, including passwords and certificates. This archive is stored in a web-accessible directory, streamlining its retrieval by attackers. To ensure persistence, OVERSTEP modifies the rc.fwboot system file, enabling automatic execution upon every reboot.
Following deployment, the attackers purge select system logs and reboot the device to activate the malware. The log erasure is surgical, targeting files like httpd.log, http_request.log, and inotify.log, complicating post-incident investigations and leaving behind minimal forensic evidence. Analysts warn that such tactics are particularly dangerous, as they allow adversaries to maintain long-term covert access with minimal risk of exposure.
GTIG maintains moderate confidence that the campaign exploited a zero-day vulnerability enabling remote code execution. The attacks are believed to be preparatory for larger operations involving data theft, extortion, or the deployment of ransomware. Supporting this hypothesis is the appearance of victim data on the World Leaks site, affiliated with a group previously operating under the Hunters International banner.
Parallels have also been drawn between UNC6148’s methods and the July 2023 SonicWall device attacks, documented by Truesec and researcher Stefan Berger. That earlier campaign employed web shells and persistence tactics designed to survive firmware updates—techniques later linked to the Abyss ransomware.
This case underscores an alarming trend: cybercriminals are increasingly targeting edge network devices—assets often unprotected by EDR platforms or antivirus solutions. Such blind spots enable silent intrusions that may persist undetected for extended periods.
Google advises organizations to conduct disk-image-based forensics, as built-in diagnostics are insufficient to detect stealthy threats. Acquiring such images may require coordination with SonicWall.
In response, SonicWall has confirmed its cooperation with GTIG and announced an accelerated end-of-life schedule for the SMA 100 line, moving the deadline from October 2027 to December 2025. This decision reflects the current threat landscape and the company’s strategic shift toward modern solutions such as SMA 1000 and Cloud Secure Edge—platforms touted for their enhanced security and scalability, better suited for today’s evolving cyber threats.
