UNC6148 OVERSTEP malware activity on SonicWall SMA 100 devices
Malware Activity
Summary
Hide ▲
Show ▼
UNC6148 has used the OVERSTEP rootkit against SonicWall SMA 100 series appliances, including SMA 210, 410, and 500v, to keep persistent access and hide activity on remote-access devices. Researchers said the malware modifies the appliance boot process, can steal sensitive credentials and OTP seeds, and may have been delivered with an unknown zero-day RCE. SonicWall has since released 10.2.2.2-92sv to add file checking and help remove known rootkit malware, while warning that SMA 100 devices reach end-of-support on Oct. 1, 2025.
Related Happenings
Federal civilian executive branch agency hit by network compromise
Incident
First: 24.04.2026 23:34
Last: 24.04.2026 23:34
Sources 1
About this happening:
A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
Federal civilian executive branch agency hit by network compromise
IncidentAbout this happening: A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
Vulnerability
First: 24.04.2026 20:06
Last: 24.04.2026 20:06
Sources 1
About this happening:
**Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware Activity
First: 23.04.2026 15:00
Last: 23.04.2026 15:00
Sources 1
About this happening:
CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware ActivityAbout this happening: CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
Latest development: 24.04.2026 23:34
CISA, NCSC-UK, and Cisco detailed Firestarter persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software, attributing the backdoor to UAT-4356 and linking the activity to ArcaneDoor. The malware modifies CSP_MOUNT_LIST, stores a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, restores itself to /usr/bin/lina_cs, and relaunches after termination or reboot; Cisco recommends reimaging and upgrading to fixed releases, or using a cold restart only if reimaging is not possible.
Nexcorium Mirai botnet activity on TBK DVR devices
Malware Activity
First: 18.04.2026 09:01
Last: 18.04.2026 09:01
Sources 1
About this happening:
**Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware ActivityAbout this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
F5 BIG-IP APM active exploitation wave (CVE-2025-53521)
Exploitation Wave
First: 02.04.2026 11:25
Last: 02.04.2026 11:25
Sources 1
About this happening:
As of **2026-04-02**, ongoing attacks are exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, leaving more than **14,000** exposed online and at risk of remote code e...
F5 BIG-IP APM active exploitation wave (CVE-2025-53521)
Exploitation WaveAbout this happening: As of **2026-04-02**, ongoing attacks are exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, leaving more than **14,000** exposed online and at risk of remote code e...
Timeline
-
24.09.2025 16:00 1 articles · 8mo ago
SonicWall releases SMA 100 firmware update for rootkit removal
Mitigation Patch UpdateSonicWall released a firmware update for SonicWall Secure Mobile Access (SMA) 100 series products, including SMA 210, SMA 410, and SMA 500v, to add file checking and help remove known rootkit malware present on the SMA devices. SonicWall strongly recommends upgrading to 10.2.2.2-92sv, and the advisory also warns that SMA 100 devices reach end-of-support on Oct. 1.
Show sources
- Threat Actor Deploys 'OVERSTEP' Backdoor in Ongoing SonicWall SMA Attacks — www.darkreading.com — 24.09.2025 16:00
-
23.09.2025 16:15 2 articles · 8mo ago
UNC6148 OVERSTEP malware activity on SonicWall SMA 100 devices
Initial DisclosureIn **July**, researchers observed **UNC6148** deploying **OVERSTEP** on **end-of-life SonicWall SMA 100** devices. The devices were nearing **end-of-support on October 1, 2025**, which increased the operational risk of persistent compromise.
Show sources
- SonicWall releases SMA100 firmware update to wipe rootkit malware — www.bleepingcomputer.com — 23.09.2025 16:15
- SonicWall releases SMA100 firmware update to wipe rootkit malware — www.bleepingcomputer.com — 23.09.2025 16:15