Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor

Google Threat Intelligence Group and Mandiant report that UNC6148, a financially motivated actor, has been compromising SonicWall SMA 100 series appliances since at least late 2024 by leveraging stolen credentials and multiple vulnerabilities (and possibly a zero-day). The actor deploys a novel persistent user-mode rootkit named OVERSTEP that modifies the boot process, steals credentials (including OTP seeds), hides components, and enables ongoing access for data theft and extortion; at least one victim's data was posted to a leak site and activity overlaps with prior Abyss/VSOCIETY ransomware intrusions.