It is unclear how the hackers obtained initial access, but researchers investigating UNC6148 attacks noticed that the threat actor already had local administrator credentials on the targeted appliance. With shell access on the appliance, the threat actor ran reconnaissance and file manipulation activities, and imported settings that included new network access control policy rules to allow the hacker’s IP addresses. Because files stolen from the victim were later published on the World Leaks (Hunters International rebrand) data-leak site, GTIG researchers believe that UNC6148 engages in data theft and extortion attacks, and may also deploy Abyss ransomware (tracked as VSOCIETY by GTIG). A threat actor has been deploying a previously unseen malware called OVERSTEP that modifies the boot process of fully-patched but no longer supported SonicWall Secure Mobile Access appliances. The backdoor is a user-mode rootkit that allows hackers to hide malicious components, maintain persistent access on the device, and steal sensitive credentials. Researchers at Google Threat Intelligence Group (GTIG) observed the rootkit in attacks that may have relied on “an unknown, zero-day remote code execution vulnerability”. However, GTIG warns that OVERSTEP can steal sensitive files such as the persist.db database and certificate files, which give hackers access to credentials, OTP seeds, and certificates that allow persistence. While researchers cannot determine the true purpose of UNC6148’s attacks, they highlight “noteworthy overlaps” in this threat actor’s activity and analysis of incidents where Abyss-related ransomware was deployed. The hackers are targeting end-of-life (EoL) SonicWall SMA 100 Series devices that provide secure remote access to enterprise resources on the local network, in the cloud, or hybrid datacenters. In late 2023, Truesec researchers investigated an Abyss ransowmare incident that occurred after hackers deployed a web shell on an SMA appliance, hiding mechanism, and established persistence across firmware updates. The rootkit component gave the threat actor long-term persistence by loading and executing malicious code each time a dynamic executable starts. The threat actor is tracked as UNC6148 and has been operating since at least last October, with an organization being targeted as recently as May. Looking at the network traffic metadata, the investigators found evidence suggesting that UNC6148 had stolen the credentials for the targeted appliance in January.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 16 Jul 2025 15:35:11 +0000