Campaign
SonicWall SMA persistence operation
Updated 24.09.2025 16:00
Case score 59
Score breakdown
- Total
- 59
- Lead score
- 59
- Support bonus
- +0 / 20
- Scoring support
- 0
- Context members
- 0
Top contributors
- Campaign Lead campaign against SonicWall SMA appliances using OVERSTEP for persistence and concealment. base
Case score 59
Members 1
Latest activity 24.09.2025 16:00
Members 1
First seen 24.09.2025 16:00
Last seen 24.09.2025 16:00
Updated 24.09.2025 16:00
Overview
UNC6148 is actively targeting **SonicWall SMA** appliances with **OVERSTEP**, a persistent backdoor/user-mode rootkit that keeps access on remote-access systems and hides operator activity.
The available evidence points to stolen credentials and one-time password seeds from earlier breaches, and some intrusions may have used an unknown zero-day RCE. SonicWall has issued firmware guidance for **SMA 100 series** devices and detection advice focused on log gaps, unexpected reboots, unexplained admin sessions, and unauthorized configuration changes.
UNC6148 is exploiting SonicWall Secure Mobile Access (SMA) appliances to preserve access on remote-access infrastructure that protects on-premises, cloud-based, and hybrid applications.
At the center of the intrusion chain is OVERSTEP, a persistent backdoor/user-mode rootkit that modifies the appliance boot process and can steal credentials, conceal files and components, delete log entries, and hide activity. The available evidence also points to stolen credentials and one-time password seeds from earlier breaches, with some intrusions possibly using an unknown zero-day remote code execution flaw to load the payload on opportunistically targeted devices.
SonicWall has issued firmware guidance for SMA 100 series appliances, including version 10.2.2.2-92sv, to help remove known rootkit malware. The vendor and Google Threat Intelligence Group advise looking for SMA log gaps or deletions, unexpected reboots, persistent or unexplained admin sessions, and unauthorized configuration changes. Available evidence does not quantify how many appliances were compromised, and it remains unclear in each intrusion whether initial access came from stolen credentials, OTP abuse, or a newly used exploit.