July 16, 2025 By Ionut Ilascu
A threat actor has been deploying a previously unseen malware called OVERSTEP that modifies the boot process of fully-patched but no longer supported SonicWall Secure Mobile Access appliances.
The backdoor is a user-mode rootkit that allows hackers to hide malicious components, maintain persistent access on the device, and steal sensitive credentials.
Researchers at Google Threat Intelligence Group (GTIG) observed the rootkit in attacks that may have relied on “an unknown, zero-day remote code execution vulnerability”.
The threat actor is tracked as UNC6148 and has been operating since at least last October, with an organization being targeted as recently as May.
Because files stolen from the victim were later published on the World Leaks (Hunters International rebrand) data-leak site, GTIG researchers believe that UNC6148 engages in data theft and extortion attacks, and may also deploy Abyss ransomware (tracked as VSOCIETY by GTIG).
