A danger is deploying an already unseen malware called actor overstep that modifies the fully patched boot process, but now Sonicwall does not support safe mobile access devices.
The backdor is a user-mode rootkit that allows hackers to hide malicious components, maintain frequent access to the device, and steal sensitive credentials.
Researchers at the Google Threat Intelligence Group (GTIG) observed the rootkit in attacks that could rely on “an unknown, zero-day distance code execution vulnerability”.
The threat actor has been tracked as UNC6148 and has been working since at least last October, an organization recently targeted as May.
Because the files stolen from the victim were later published on the World Leaks (Hunters International Rebrand) data-leak site, GTIG researchers believe that UNC6148 is engaged in data theft and forced recovery attacks, and ABYSS can also deploy tracks as vsociati by GTIG.
Hackers come ready
Hackers end-off-lif (EOL) Sonicwall SMA are targeting the SRIs device device on local networks, providing safe remote access for enterprise resources in clouds or hybrid datasters.
It is not clear how hackers achieved initial access, but researchers investigating the UNC6148 attacks noted that the actor with danger already had local administrators credentials on the target equipment.
“GTIG assesses with high confidence that UNC6148 has exploited a known vulnerability to steal the administrator credentials before the target SMA equipment, which is being updated for the latest firmware version (10.2.1.15-81SV)” – Google Danger Integre Group “
Given the network traffic metadata, investigators found evidence that UNC6148 stole credentials for targeted equipment in January.
Many N-Day weaknesses (Cve-2021-20038, Cve-2024-38475, Cve-2021-20035, Cve-2021-20039, Cve-2025-32819) This effect could be exploited, the oldest of them was revealed in 2021 and most recently from May 2025.
Of these, hackers may have exploited the CVE-2024–38475 as it “provides local administrator credentials and legitimate sessions tokens that can be reused UNC6148.”
However, the incident in Mandiant (a Google Company) did not confirm that the attacker exploited vulnerability.
Reverse-shell mystery
In an attack in June, UNC6148 used local administrators credentials to join the SSL-VPN session targeted SMA 100 series equipment.
Hackers started a reverse shell, although shell access by design on these devices should not be possible.
Sonicwall’s product safety event response team (PSIRT) tried to determine how it was possible, but could not come up with an explanation, and an answer could be exploited an unknown security issue.
With shell access on the device, the threatening actor carried out reconnaissance and file manipulation activities, and imported settings that included the new network access control policy rules to allow the hacker’s IP address.
Overseas rootkit does not leave any clue
Subsequently, UNC6148 deployed the oversteep rootkit through a range of commands, which decoded the binary to the base 64 and applied it as a .LF file.
“After installation, the attacker manually approves the system log before restarting the equipment, activating the oversteep backdoor” – Google Danger Intelligence Group
The oversstep acts as a back door that installs a reverse shell and steals the password from the host. It also applies user-mode rootkit capabilities to hide its components on the host.
The rootkit component gave long -term persistence to the actor with danger by loading and executing malicious codes at a dynamic executionable start every time.
The anti-forensic feature of the overseas allows the attacker to remove the log entries and thus covers their tracks. The lack of command history on this ability and disc threatened the actor’s visibility in the actor’s post-compromise activities.
However, GTIG warns that the oversstep can steal sensitive files like Persist.db Database and certificate files, which provide access to credentials, OTP seeds and certificate to hackers that allow persistence.
While researchers cannot determine the correct objective of the attacks of UNC6148, they highlight the “notable overlaps” in the analysis of this danger actor’s activity and events where the abyss-related ransomware was deployed.
At the end of 2023, Truesec Researcher Investigated An abyss ransowmare phenomenon after hackers deploy a web shell on an SMA device, hide the mechanism, and establishes firmness in the firmware updates.
A few months later in March 2024, Infoguard AG ISSIDENT RESPOND Published a post Describing a similar agreement of an SMA device that ended with the deployment of the same abyss malware.
Organizations with SMA equipment recommends checking the equipment for a possible compromise by obtaining disk images, which should prevent intervention from the rootkit.
The GTIG provides a set of indicators of the agreement with signals, so that analysts should see whether the device was hacked or not.
While cloud attacks can be more sophisticated, the attackers still succeed with surprisingly simple techniques.
Drawing by the detection of Vij in thousands of organizations, this report reveals the 8 major techniques used by Claude-Floid danger actors.
