Overview

• UNC6148 exploited fully patched, end-of-life SonicWall SMA 100 series VPN appliances to deploy OVERSTEP, a stealth backdoor rootkit that modifies the boot process.
• OVERSTEP embeds in the appliance’s startup sequence, ensuring persistent admin-level access and concealment of malicious components.
• The rootkit’s anti-forensic capabilities allow attackers to selectively delete log entries, hindering forensic investigation.
• Google Threat Intelligence Group and Mandiant published indicators of compromise and detection guidance, urging organizations to audit, patch or decommission end-of-life SMA 100 series devices immediately.
• Analysis indicates UNC6148 likely reused stolen administrator credentials or exploited a zero-day vulnerability to infiltrate appliances, with stolen files from a May 2025 breach surfacing on the World Leaks data-leak site in June.