OVERSTEP Ransomware Deployed Through Exploited 0-Day RCE Vulnerability in SonicWall SMA Devices

Google Threat Intelligence Group (GTIG) has uncovered a sophisticated campaign by the financially motivated threat actor UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

The campaign leverages previously stolen credentials and one-time password (OTP) seeds to maintain persistent access even after security updates, with evidence suggesting the deployment of a previously unknown backdoor called OVERSTEP through a potential zero-day remote code execution vulnerability.

Advanced Rootkit Capabilities Hide Malicious Activity

OVERSTEP represents a significant evolution in appliance-targeted malware, functioning as both a persistent backdoor and user-mode rootkit specifically designed for SonicWall SMA 100 series devices.

The malware modifies the appliance’s boot process by injecting itself into the INITRD image and leveraging the /etc/ld.so.preload file to ensure persistence across reboots.

The sophisticated rootkit employs LD_PRELOAD hijacking to intercept standard library functions including open, open64, readdir, readdir64, and write.

This technique enables OVERSTEP to conceal its components from directory listings and restrict access to critical system files.

The malware’s primary backdoor functionality operates through the hijacked write function, which monitors for specific command strings like “dobackshell” and “dopasswords” embedded within web requests.

When activated, OVERSTEP can establish reverse shells and exfiltrate sensitive data including the persist.db A database containing user credentials, session tokens, and OTP seed values.

The malware creates TAR archives of these sensitive files and places them in web-accessible directories with permissive permissions, enabling easy retrieval by attackers.

Extensive Campaign Linked to Data Extortion Operations

GTIG assessments indicate that UNC6148 operations date back to at least October 2024, with moderate confidence that the campaign aims to facilitate data theft and extortion operations, potentially leading to ransomware deployment.

Evidence supporting this assessment includes an organization targeted in May 2025 that subsequently appeared on the “World Leaks” data leak site in June 2025.

The campaign exhibits notable overlaps with previously reported SonicWall exploitation activities that led to the deployment of Abyss-branded ransomware, suggesting potential connections to the VSOCIETY threat group.

OVERSTEP appears to be a direct evolution of the wafx Summary tool previously reported by security researchers.

GTIG recommends that organizations running SMA appliances take immediate action, including comprehensive forensic analysis using disk images to bypass rootkit anti-forensic capabilities.

Critical mitigation steps include resetting all credentials and OTP bindings, revoking certificates, and implementing enhanced monitoring for VPN sessions from external IP addresses, particularly those originating from low-reputation networks.

Indicators of Compromise (IOCs)

Host-Based IOCs