SilentRoute: Trojanized SonicWall VPN Client Used to Steal Enterprise Credentials

In a newly uncovered software supply chain attack, threat actors have successfully deployed a backdoored version of SonicWall’s SSL VPN NetExtender client, stealing credentials and breaching enterprise networks under the guise of legitimate software. The campaign, dubbed SilentRoute by Microsoft, was detailed in an alarming report by eSentire’s Threat Response Unit (TRU) after spotting the malware in late June 2025.

Victims are lured by SEO poisoning techniques to a fraudulent website that mimics SonicWall’s legitimate download page. The deceptive site serves a malicious but digitally signed MSI installer—SonicWall-NetExtender.msi—containing patched binaries designed to covertly exfiltrate sensitive information.

“The infection process began when the user searched the web for a download of SonicWall’s NetExtender client… and downloaded a signed malicious MSI installer,” the report states.

Once executed, the backdoored software captures the user’s domain, username, and password, sending them to a threat actor-controlled server at 132.196.198[.]163 on port 8080.

Two binaries in the installer were altered:

• NEService.exe – modified to bypass digital signature verification
• NetExtender.exe – modified to exfiltrate user credentials

Though the changes are minimal, they’re highly effective. The attackers employed a sophisticated disassemble/modify/recompile strategy, allowing the software to maintain full functionality while covertly stealing credentials.

“This methodical process enabled them to maintain the software’s core functionality while implementing covert exfiltration capabilities,” the report explains.

To evade detection, the attackers used a fraudulently obtained Extended Validation (EV) certificate from GlobalSign—a tactic increasingly seen in malware campaigns.

“The presence of a digital certificate alone does not guarantee software legitimacy,” the report warns.

While Microsoft’s SmartScreen is designed to block unknown installers, this malicious MSI bypassed those protections due to its signed status, reinforcing how trust in digital signatures can be weaponized.

eSentire has published IoCs for SilentRoute here.

Related Posts:

• SonicWall Patches Multi Vulnerabilities in NetExtender VPN Client
• NetSPI Details Multiple Local Privilege Escalation Vulnerabilities in SonicWall NetExtender
• SocGholish and RansomHub: Sophisticated Attack Campaign Targeting Corporate Networks
• eSentire Exposes Ongoing More_eggs Malware Campaign Targeting Job Seekers

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy