CVE-2021-20039

Written by: Josh Goddard, Zander Work, Dimiter Andonov Introduction Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor's malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities. In this new wave of activity, the actor has deployed a previously unknown persistent backdoor/user-mode rootkit, which GTIG tracks as OVERSTEP. Based on findings from Mandiant Incident Response engagements, our analysis shows this malware modifies the appliance's boot process to maintain persistent access, steal sensitive credentials, and conceal its own components. GTIG assesses with moderate confidence that UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on opportunistically targeted SonicWall SMA appliances. GTIG assesses with moderate confidence that UNC6148's operations, dating back to at least October 2024, may be to enable data theft and extortion operations, and possibly ransomware deployment. An organization targeted by UNC6148 in May 2025 was posted to the "World Leaks" data leak site (DLS) in June 2025, and UNC6148 activity overlaps with publicly reported SonicWall exploitation from late 2023 and early 2024 that has been publicly linked to the deployment of Abyss-branded ransomware (tracked by GTIG as VSOCIETY). Given the risk of recompromise using previously stolen credentials, organizations should follow the recommendations within this...