Threat Actor Deploys ‘OVERSTEP’ Backdoor in Ongoing SonicWall SMA Attacks
Summary
Researchers have linked an ongoing campaign against SonicWall Secure Mobile Access (SMA) 100 series appliances to the threat actor tracked as UNC6148. The attackers are deploying a previously unseen persistent backdoor and user-mode rootkit called OVERSTEP that modifies the appliance boot process to maintain access, steal credentials, hide files and logs, and evade detection.
SonicWall has issued a firmware update (recommended: 10.2.2.2-92sv) that includes additional file checking to help remove known rootkits. Google Threat Intelligence Group and CISA recommend immediate mitigation steps for organisations that use affected SMA devices.
Key Points
- UNC6148 is exploiting SonicWall SMA 100 series appliances and deploying a persistent backdoor named OVERSTEP.
- OVERSTEP acts as a user-mode rootkit that alters boot flow, hides components, removes log entries and exfiltrates credentials.
- Attackers may have used stolen credentials/OTP seeds from previous breaches and possibly an unknown zero-day RCE to deploy the backdoor.
- Several historical CVEs (including CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039 and CVE-2025-32819) are noted as past weaknesses that could be abused in similar campaigns.
- SonicWall recommends upgrading to firmware version 10.2.2.2-92sv; CISA and researchers advise rebuilding affected appliances, resetting OTP bindings, enforcing MFA, rotating passwords and replacing certificates stored on devices.
- Indicators of compromise include deleted or missing SMA logs, unexpected reboots, unauthorised persistent admin sessions, configuration changes and recurring access after patching or resets.
Context and relevance
This campaign continues a pattern where attackers leverage stolen credentials and chained vulnerabilities to gain long-term access to network gateway devices. Secure remote access appliances like SonicWall SMA are high-value targets because they bridge remote users to internal resources; a persistent backdoor on these devices can enable broad lateral movement and long-term data theft.
For security teams and IT managers, the story is timely: many SMA 100 devices are approaching end-of-support and may be more exposed. The combination of credential theft, device persistence and rootkit-style stealth raises the risk profile significantly for organisations still running affected appliances.
Why should I read this?
Short version: if you run SonicWall SMA kit, this is not optional skimming. The OVERSTEP backdoor gives attackers admin-level persistence and log-hiding — exactly the kind of foothold that ruins weekends and boardroom meetings. Read this to know what to look for and what to do now (firmware update, rebuild if needed, reset OTPs, enforce MFA).
Author style
Punchy: this is an urgent, operational alert. The detail matters — the article flags specific mitigations and CVEs, and makes clear that simple patching alone may not remove a stealthy rootkit. If you manage SMA appliances, treat this as high priority and follow the recommended rebuild/reset steps rather than assuming an update alone is enough.
