UNC6148

UNC6148 is a suspected financially motivated threat actor tracked by Google Threat Intelligence Group (GTIG). The actor has been observed targeting fully patched, end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances, with activity reported as ongoing since at least October 2024. GTIG assessed that UNC6148 likely leveraged previously stolen valid administrative credentials, including in some reporting stolen credentials and OTP seeds from prior breaches, to establish SSL VPN sessions and deploy malware on SMA appliances. GTIG also assessed with moderate confidence that UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on opportunistically targeted SonicWall SMA appliances, though the initial credential acquisition method remains unknown. UNC6148 deploys OVERSTEP, described in the content as a previously unknown persistent backdoor and rootkit targeting SonicWall SMA 100 devices. Reporting in the provided content describes OVERSTEP as modifying the boot process for persistence, concealing its components, removing log entries to evade detection, establishing a reverse shell, stealing sensitive files and credentials, including administrator credentials, session tokens, OTP seeds, persist.database, and certificate material, and enabling privileged control of the appliance. The actor has also been described as using a kernel-level rootkit or persistent backdoor rootkit to remain stealthily resident on compromised systems. The group’s observed tradecraft includes using stolen credentials to establish VPN sessions, deploying backdoors on SMA 100 devices, maintaining persistence across reboots, clearing or manipulating logs, and enabling follow-on actions such as command execution, credential theft, data exfiltration, and extortion. GTIG noted possible exploitation of known SonicWall SMA vulnerabilities in related intrusion chains, including CVE-2021-20038, CVE-2021-20035, CVE-2021-20039, CVE-2024-38475, and CVE-2025-32819, while also not ruling out undisclosed vulnerability use. The content links UNC6148 to ransomware and extortion activity. It is described as associated with World Leaks, alongside Hive Ransomware and Secp0 Ransomware, and separate reporting cited in the content notes overlaps or links to Abyss-related ransomware incidents. The content also states UNC6148 may deploy OVERSTEP possibly for ransomware operations. No nation-state attribution is provided in the supplied content. Known alias in the provided content: UNC6148.