UNC6148 SonicWall SMA exploitation campaign
Campaign
Summary
Hide ▲
Show ▼
The UNC6148 campaign against SonicWall SMA appliances is ongoing and is enabling persistent access on targeted devices. The operation uses OVERSTEP, a persistent backdoor/user-mode rootkit, to hide activity, steal credentials, and keep footholds. The campaign matters because it appears to abuse stolen credentials and possibly an unknown zero-day RCE to compromise enterprise remote-access systems.
Cases
Related Happenings
CISA and NCSC-UK China-nexus covert device networks advisory
Advisory/Mitigation
First: 23.04.2026 15:00
Last: 23.04.2026 15:00
Sources 1
About this happening:
**CISA** and **NCSC-UK** released a new advisory warning organizations about **Chinese government-linked** covert networks built from **compromised devices**. The guidance says we...
CISA and NCSC-UK China-nexus covert device networks advisory
Advisory/MitigationAbout this happening: **CISA** and **NCSC-UK** released a new advisory warning organizations about **Chinese government-linked** covert networks built from **compromised devices**. The guidance says we...
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware Activity
First: 18.02.2026 12:32
Last: 18.02.2026 12:32
Sources 1
About this happening:
**BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware ActivityAbout this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
SonicWall MySonicWall cloud backup breach exposing firewall backup files
Data Leak
First: 29.01.2026 19:57
Last: 29.01.2026 19:57
Sources 1
About this happening:
**SonicWall** said a **state-sponsored threat actor** stole **firewall configuration backup files** from its **MySonicWall cloud backup service** in a **September** security breac...
SonicWall MySonicWall cloud backup breach exposing firewall backup files
Data LeakAbout this happening: **SonicWall** said a **state-sponsored threat actor** stole **firewall configuration backup files** from its **MySonicWall cloud backup service** in a **September** security breac...
FortiGate FortiCloud SSO authentication bypass active exploitation wave
Exploitation Wave
First: 16.12.2025 12:58
Last: 16.12.2025 12:58
Sources 1
About this happening:
**FortiGate** appliances are in an active exploitation wave after attackers began abusing **CVE-2025-59718** and **CVE-2025-59719** less than a week after disclosure. **Arctic Wol...
FortiGate FortiCloud SSO authentication bypass active exploitation wave
Exploitation WaveAbout this happening: **FortiGate** appliances are in an active exploitation wave after attackers began abusing **CVE-2025-59718** and **CVE-2025-59719** less than a week after disclosure. **Arctic Wol...
Timeline
-
24.09.2025 16:00 2 articles · 8mo ago
SonicWall discloses UNC6148 OVERSTEP activity against SMA 100 appliances
Initial DisclosureSonicWall released a firmware update for SonicWall Secure Mobile Access (SMA) 100 series appliances to help remove known rootkit malware, while Google Threat Intelligence Group attributed an ongoing campaign against SonicWall SMA to UNC6148 and described deployment of the OVERSTEP backdoor/user-mode rootkit to maintain persistent access, steal credentials, and hide activity. The guidance points customers to version 10.2.2.2-92sv and to look for SMA log gaps or deletions, unexpected reboots, persistent or unexplained admin sessions, and unauthorized configuration changes.
Show sources
- Threat Actor Deploys 'OVERSTEP' Backdoor in Ongoing SonicWall SMA Attacks — www.darkreading.com — 24.09.2025 16:00
- Threat Actor Deploys 'OVERSTEP' Backdoor in Ongoing SonicWall SMA Attacks — www.darkreading.com — 24.09.2025 16:00