SonicWall Warns: Trojanized NetExtender VPN Client Stealing Credentials in Active Campaign
Unknown threat actors have begun disseminating a counterfeit version of the SonicWall application, designed to steal credentials used to access VPNs. The campaign was uncovered by experts at SonicWall and Microsoft, who detected attempts to distribute a tampered build of the NetExtender utility, disguised as an official SonicWall application.
According to the companies, the attackers crafted a modified installer for NetExtender version 10.3.2.27, which visually mimicked the authentic application, thereby deceiving unsuspecting users. The critical discrepancy lay in the digital signature, which was forged to appear as though it originated from a fictitious organization named “CITYLIGHT MEDIA PRIVATE LIMITED.” The download portal hosting this malicious software was equally deceptive, closely imitating SonicWall’s legitimate website.
Victims who landed on this fraudulent site unknowingly downloaded a harmful imitation of the secure connection tool. Upon installation, the malicious software silently exfiltrated VPN configuration data—including usernames, passwords, domains, and other sensitive information—and transmitted it to a remote server controlled by the attackers.
Two core executables were altered within the installer: NeService.exe and NetExtender.exe. The former, in its genuine form, verifies the application’s digital signature and only proceeds with execution if the verification succeeds. Hackers disabled this safeguard, allowing the application to launch regardless of signature validity. The latter executable, NetExtender.exe, was implanted with code that surreptitiously transmitted stolen credentials to an external server via IP address 132.196.198.163 on port 8080.
Though the malicious websites have since been taken offline and the counterfeit certificate revoked, the threat remains far from extinguished. Security analysts warn that adversaries can effortlessly register new domains and redeploy similar campaigns. These types of attacks are particularly dangerous for enterprise SonicWall users, as compromised credentials may grant attackers direct access to protected networks—eliminating the need to exploit system vulnerabilities or breach devices.
SonicWall appliances and services have long been prime targets for both cybercriminals and nation-state espionage actors. Past incidents have documented the deployment of spyware, targeted intrusions, and data theft facilitated via SonicWall infrastructure. This latest method, leveraging a counterfeit NetExtender, allows adversaries to bypass many traditional defenses by using legitimate—albeit stolen—credentials to gain entry.
SonicWall has yet to disclose the full scope of the breach or the number of affected users. Nonetheless, the incident stands as a stark reminder of the critical importance of downloading security tools exclusively from verified, official sources. Even trusted encryption and protection utilities can become vectors of compromise if obtained from untrusted origins.
