THE THREAT
In June 2025, eSentire’s Threat Response Unit (TRU) identified an incident involving the installation of a trojanized version of SonicWall’s NetExtender VPN client. The investigation revealed that users had attempted to download and execute a modified version of the installer that closely resembled the legitimate SonicWall application. While eSentire MDR for Endpoint detected and flagged the activity, successful execution of the malicious file would have resulted in the harvesting of VPN credentials.
This activity aligns with a campaign recently confirmed by SonicWall in collaboration with Microsoft Threat Intelligence (MSTIC). MSTIC dubbed this malicious application SilentRoute malware. As abuse of this method persists, it is critical that organizations restrict access from suspicious infrastructure, review endpoints for the unauthorized VPN client, revoke sessions, and reset any potentially compromised credentials.
What we’re doing about it
- eSentire's Threat Response Unit has performed threat hunts for known Indicators of Compromise across customer environments
- eSentire MDR for Endpoint detects this threat
- Relevant Indicators of Compromise have been added to the eSentire Threat Intelligence Feed
- The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
- Exercise caution when visiting websites or downloading content from the Internet
-
Ensure that all VPN clients are downloaded only from official vendor websites
- sonicwall.com
- mysonicwall.com
- Ensure Endpoint Detection and Response (EDR) agents are deployed to all corporate assets including workstations and servers
- Monitor Dark Web markets for compromised user credentials
Additional information
MSTIC and SonicWall have identified a malicious campaign distributing a compromised version of SonicWall's SSL VPN NetExtender application through a fraudulent website. The modified version (based on NetExtender v10.3.2.27), signed by "CITYLIGHT MEDIA PRIVATE LIMITED" contains altered components (NeService.exe and NetExtender.exe) designed to bypass security validations and exfiltrate sensitive VPN configuration data. This SilentRoute malware specifically targets usernames, passwords, and domain information, transmitting the stolen data to a remote server (132.196.198[.]163:8080). While the impersonating websites have been taken down and the malicious installer's digital certificate has been revoked, users must download SonicWall applications only from official sources (sonicwall.com or mysonicwall.com).
eSentire has observed SilentRoute impacting a customer in recent incidents. With compromised VPN credentials and if not remediated, it will allow the threat actors to log into the corporate environment and conduct further nefarious activities, such as ransomware deployment.
| Indicators of Compromise (IOCs) | |
| 132[.]196[.]198[.]163 | SilentRoute C2 |
| sonicwall-download[.]online | SilentRoute Download |
| sonicwall-netextender[.]com | SilentRoute Download |
| sonicwall[.]pro | SilentRoute Download |
| vpncorporate[.]online | SilentRoute Download |
| D883C067F060E0F9643667D83FF7BC55A218151DF600B18991B50A4EAD513364 | SilentRoute Payload |
| E30793412D9AAA49FFE0DBAAF834B6EF6600541ABEA418B274290447CA2E168B | SilentRoute Payload |
References:
[1] https://www.sonicwall.com/blog/threat-actors-modify-and-re-create-commercial-software-to-steal-users-information
[2] https://urlscan.io/search/#sonicwall-netextender.com