In recent developments, cybercriminals have been leveraging compromised versions of SonicWall’s SSL VPN NetExtender application to illicitly obtain user credentials. This malicious activity involves distributing a trojanized variant of the NetExtender software, which unsuspecting users may download and install, believing it to be legitimate.
SonicWall’s NetExtender is a VPN client that enables remote users to securely connect to a company’s network, allowing them to run applications, transfer files, and access network resources as if they were physically present within the organization’s premises. The compromised version of this application has been identified as delivering a payload codenamed SilentRoute, a discovery made by Microsoft in collaboration with SonicWall.
The distribution method for this malicious software involves a counterfeit website that mimics the official SonicWall site. This fake site offers a version of NetExtender labeled as 10.3.2.27, which is digitally signed by an entity named CITYLIGHT MEDIA PRIVATE LIMITED. This suggests that attackers are targeting individuals searching for NetExtender through search engines like Google or Bing. They employ tactics such as spear-phishing, search engine optimization (SEO) poisoning, malvertising, and deceptive social media posts to lure users into downloading the compromised software.
Upon installation, two key components of the NetExtender application—NeService.exe and NetExtender.exe—are modified. These alterations allow the malware to bypass digital certificate validation checks and exfiltrate sensitive configuration information to a remote server controlled by the attackers. The stolen data includes usernames, passwords, domain details, and other critical VPN configuration information.
In a related series of attacks, threat actors have been exploiting ConnectWise, a remote monitoring and management software, by embedding malicious code into its installers. This technique, known as authenticode stuffing, allows attackers to insert harmful configurations into the software’s digital signature without invalidating it. German cybersecurity firm G DATA has observed a significant increase in such attacks since March 2025.
The attack vectors primarily involve phishing emails and fraudulent websites advertised as artificial intelligence (AI) tools on platforms like Facebook. These emails often contain links to OneDrive, which redirect users to a Canva page with a View PDF button. Clicking this button results in the download and execution of a tampered ConnectWise installer.
Once executed, the malicious installer implants configurations within the Authenticode signature to display a fake Windows update screen, preventing users from shutting down their systems. It also establishes a persistent connection to an external server, granting attackers continuous access to the compromised system.
These incidents underscore the critical importance of downloading software exclusively from official and trusted sources. Users are advised to exercise caution when encountering unsolicited emails or unfamiliar websites offering software downloads. Organizations should implement robust security measures, including regular software updates, employee training on recognizing phishing attempts, and the use of advanced threat detection systems to mitigate the risk of such sophisticated attacks.
