Google’s Threat Intelligence Group (GTIG) has uncovered an ongoing campaign by a financially motivated threat actor tracked as UNC6148, targeting SonicWall Secure Mobile Access (SMA) 100 series appliances that are both fully patched and end-of-life.
According to GTIG, the group is leveraging stolen credentials and one-time password (OTP) seeds to regain access to devices even after security updates have been applied. The malware used in the campaign appears to delete log entries selectively. The researchers believe the intrusion likely began with the exploitation of known vulnerabilities.
GTIG assesses with moderate confidence that UNC6148 has been conducting operations since at least October 2024, likely to support data theft, extortion, and potentially ransomware deployment. In one instance, a victim targeted by UNC6148 in May 2025 appeared on the ‘World Leaks’ data leak site in June 2025. Additionally, UNC6148 activity overlaps with publicly reported exploitation of SonicWall vulnerabilities from late 2023 to early 2024, which has been linked to the deployment of Abyss-branded ransomware (tracked by GTIG as VSOCIETY).
As part of the observed campaign, the threat actor uses the OVERSTEP backdoor designed to provide persistent access, steal credentials, and conceal its presence by manipulating system processes and file access. It can modify the boot process and also uses hooked system functions to hide its components from detection. The observed samples have been compiled as a 32-bit ELF shared object for the Intel x86 architecture.
GTIG says that UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on opportunistically targeted SonicWall SMA appliances.
The researchers believe the group may have exploited a combination of known and possibly unknown vulnerabilities, including CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819.
The threat actor was observed using stolen administrator credentials to establish secure VPN sessions and deploy a reverse shell on targeted appliances, followed by modifications to system settings and access control rules, likely to preserve attacker access.
