Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 1 actorExploits 6 CVEs

OVERSTEP

OVERSTEP is a custom backdoor/rootkit targeting SonicWall Secure Mobile Access (SMA) 100 series appliances, including SMA 210, SMA 410, and SMA 500v. Reporting consistently describes it as a persistent backdoor and rootkit; some sources call it a user-mode rootkit, while others describe kernel-level behavior. High-confidence reporting states it modifies the appliance boot process for persistence, reloads on reboot, conceals its components, can remove or hide log entries, and establishes a reverse shell on compromised devices. Its capabilities include obtaining administrator privileges without detection, executing commands, exfiltrating data, installing additional backdoors, and stealing sensitive material including credentials, session tokens, one-time password (OTP) seeds, persist.database, and certificate files.

OVERSTEP has been linked to an ongoing campaign by the financially motivated threat actor UNC6148, active since at least October 2024, against fully patched but end-of-life SonicWall SMA 100 appliances. Google Threat Intelligence Group reported that UNC6148 likely leveraged previously stolen valid administrative credentials and OTP seeds, and may also have exploited one or more known SonicWall vulnerabilities or an unknown zero-day remote code execution flaw to deploy the malware. After access, the actor establishes an SSL VPN session, gains shell access, deploys OVERSTEP, and configures persistence so it survives reboot. The campaign has been discussed in the context of possible data theft, extortion, and possible ransomware operations, with some reporting noting overlaps with Abyss-related incidents and broader SonicWall intrusion activity.

Known indicators of compromise mentioned in the content include unknown or unexpected binaries in /cf or /usr/lib, presence of /etc/ld.so.preload on SMA appliances, unauthorized modification of /etc/rc.d/rc.fwboot, irregular timestamps in the INITRD image, incoming web requests containing dobackshell or dopasswords, outgoing HTTP traffic to unfamiliar external IPs, VPN sessions from unfamiliar IPs, unscheduled settings import/export, manual log clearing outside maintenance windows, suspicious activity in FLASH.DAT, gaps or deletions in SMA logs, unexpected appliance reboots, persistent unexplained admin sessions, unauthorized configuration changes, and recurring access after patching or resets. SonicWall released firmware updates, including version 10.2.2.2-92sv, to help detect and remove known OVERSTEP infections from SMA 100 devices.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

6 CVES
CVE-2024-40766Improper Access Control in SonicWall SonicOS Management Access and SSLVPNExploited in the wild

SonicWall’s internal investigation attributes these incidents to exploitation of the known vulnerability CVE-2024–40766. Although SonicWall released a security patch for this issue in August 2024, attackers are still leveraging credentials that were stolen at the time of those incidents.

via osint team blogosintteam.blog
CVE-2021-20039Authenticated Command Injection in SonicWall SMA100 /cgi-bin/viewcert

...CVE-2021-20035 and CVE-2021-20039, authenticated remote code execution vulnerabilities; | "Now, the threat actor is deploying what the researchers describe as a 'previously unknown persistent backdoor/user-mode rootkit' which they are tracking as OVERSTEP."

via dark readingdarkreading.com
CVE-2025-32819Arbitrary File Deletion in SonicWall SMA100

...and CVE-2025-32819, an authenticated file deletion vulnerability. | "Now, the threat actor is deploying what the researchers describe as a 'previously unknown persistent backdoor/user-mode rootkit' which they are tracking as OVERSTEP."

via dark readingdarkreading.com
CVE-2024-38475Apache HTTP Server mod_rewrite improper escaping leading to unintended file mapping

...including CVE-2024-38475, an unauthenticated path traversal vulnerability; | "Now, the threat actor is deploying what the researchers describe as a 'previously unknown persistent backdoor/user-mode rootkit' which they are tracking as OVERSTEP."

via dark readingdarkreading.com
CVE-2021-20038Unauthenticated RCE in SonicWall SMA100 Apache httpd mod_cgi

Google TAG researchers noted that there are several vulnerabilities that could have been exploited by UNC6148 in the past, including CVE-2021-20038, a memory corruption vulnerability; | "Now, the threat actor is deploying what the researchers describe as a 'previously unknown persistent backdoor/user-mode rootkit' which they are tracking as OVERSTEP."

via dark readingdarkreading.com
CVE-2021-20035OS Command Injection in SonicWall SMA100 Management Interface

...CVE-2021-20035 and CVE-2021-20039, authenticated remote code execution vulnerabilities; | "Now, the threat actor is deploying what the researchers describe as a 'previously unknown persistent backdoor/user-mode rootkit' which they are tracking as OVERSTEP."

via dark readingdarkreading.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC6148

"...exploiting fully patched, end-of-life SonicWall SMA 100 appliances to deploy a previously unknown backdoor and rootkit dubbed OVERSTEP."

via register securitygo.theregister.com
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1133External Remote ServicesEvidence1

"...VPN access through SonicWall SSL VPNs..." / "...brute-force traffic aimed at Fortinet SSL VPN devices..."

T1190Exploit Public-Facing ApplicationEvidence1

"Threat actors are actively exploiting a critical security flaw in ... WordPress Theme ... to take over susceptible sites." / "...exploiting a ... flaw in Apache ActiveMQ to gain persistent access..." / "...exploiting ... SharePoint ... to obtain initial access..."

Persistence

1 technique
T1133External Remote ServicesEvidence1

"...VPN access through SonicWall SSL VPNs..." / "...brute-force traffic aimed at Fortinet SSL VPN devices..."

ACTIVITY FEED

Recent activity

27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

27 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Rootkit/backdoor deployed on fully-patched SonicWall SMA 100 series appliances to maintain persistent access (per summary).

Read more
bleeping computerNews
Jan 27, 2026
Nike investigates data breach after extortion gang leaks files

Custom rootkit malware reportedly installed on compromised systems after exploitation of end-of-life SonicWall SMA 100 devices, likely to provide stealthy persistence and privileged access.

Read more
bleeping computerNews
Dec 17, 2025
Sonicwall warns of new SMA1000 zero-day exploited in attacks

OVERSTEP is a rootkit malware deployed in attacks against SonicWall SMA 100 series devices, likely used to maintain persistence and evade detection on compromised appliances.

Read more
the hacker newsNews
Dec 17, 2025
SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

OVERSTEP is a backdoor malware deployed in attacks targeting SonicWall SMA 100 series devices, providing persistent unauthorized access to compromised systems.

Read more
+23 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities6

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.