UNC6148 hackers have compromised fully-patched, end-of-life SonicWall SMA 100 devices using a stealthy backdoor called OVERSTEP, likely via stolen credentials or a zero-day exploit. The rootkit enables persistent access, hides activity, and steals credentials. Google links the activity to past ransomware operations. In response, SonicWall is ending support for SMA 100 devices by December 31, 2025, and advises customers to migrate to newer, more secure solutions.