Company

ABOUT ESENTIRE

eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.

About Us →

Leadership →

Careers →

Event Calendar →

Newsroom →

Aston Villa Football Club →

EVENT CALENDAR

Aug

ILTACON

Aug

FutureCon Omaha

Aug

INTERFACE Kansas City

Aug

CISO Strategy Virtual Meetings Minneapolis

Aug

FutureCon Salt Lake City

View Calendar →

LATEST PRESS RELEASE

Aug 12, 2025

eSentire’s Dustin Hillard Recognized on Channel Insider's 2025 AI Leaders List

View Newsroom →

OUR PARTNERSHIPS

Aston Villa Football Club

AVFC takes its cyber protection to the Next Level with eSentire as its official cybersecurity partner.

Learn More

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

In June 2025, eSentire’s Threat Response Unit (TRU) identified an incident involving the installation of a trojanized version of SonicWall’s NetExtender VPN client. The investigation revealed that users had attempted to download and execute a modified version of the installer that closely resembled the legitimate SonicWall application. While eSentire MDR for Endpoint detected and flagged the activity, successful execution of the malicious file would have resulted in the harvesting of VPN credentials.

This activity aligns with a campaign recently confirmed by SonicWall in collaboration with Microsoft Threat Intelligence (MSTIC). MSTIC dubbed this malicious application SilentRoute malware. As abuse of this method persists, it is critical that organizations restrict access from suspicious infrastructure, review endpoints for the unauthorized VPN client, revoke sessions, and reset any potentially compromised credentials.

What we’re doing about it

eSentire's Threat Response Unit has performed threat hunts for known Indicators of Compromise across customer environments
eSentire MDR for Endpoint detects this threat
Relevant Indicators of Compromise have been added to the eSentire Threat Intelligence Feed
The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities

What you should do about it

Exercise caution when visiting websites or downloading content from the Internet
Ensure that all VPN clients are downloaded only from official vendor websites
- sonicwall.com
- mysonicwall.com
Ensure Endpoint Detection and Response (EDR) agents are deployed to all corporate assets including workstations and servers
Monitor Dark Web markets for compromised user credentials

Additional information

MSTIC and SonicWall have identified a malicious campaign distributing a compromised version of SonicWall's SSL VPN NetExtender application through a fraudulent website. The modified version (based on NetExtender v10.3.2.27), signed by "CITYLIGHT MEDIA PRIVATE LIMITED" contains altered components (NeService.exe and NetExtender.exe) designed to bypass security validations and exfiltrate sensitive VPN configuration data. This SilentRoute malware specifically targets usernames, passwords, and domain information, transmitting the stolen data to a remote server (132.196.198[.]163:8080). While the impersonating websites have been taken down and the malicious installer's digital certificate has been revoked, users must download SonicWall applications only from official sources (sonicwall.com or mysonicwall.com).

eSentire has observed SilentRoute impacting a customer in recent incidents. With compromised VPN credentials and if not remediated, it will allow the threat actors to log into the corporate environment and conduct further nefarious activities, such as ransomware deployment.

Figure 1: Example of malicious SonicWall Installer Download Page (URLScan)

Indicators of Compromise (IOCs)
132[.]196[.]198[.]163	SilentRoute C2
sonicwall-download[.]online	SilentRoute Download
sonicwall-netextender[.]com	SilentRoute Download
sonicwall[.]pro	SilentRoute Download
vpncorporate[.]online	SilentRoute Download
D883C067F060E0F9643667D83FF7BC55A218151DF600B18991B50A4EAD513364	SilentRoute Payload
E30793412D9AAA49FFE0DBAAF834B6EF6600541ABEA418B274290447CA2E168B	SilentRoute Payload

References:

[1] https://www.sonicwall.com/blog/threat-actors-modify-and-re-create-commercial-software-to-steal-users-information
[2] https://urlscan.io/search/#sonicwall-netextender.com

ESENTIRE SERVICES

Managed Detection and Response

All-In-One MDR Solution →

MDR for Microsoft →

MDR for GenAI →

Digital Forensics and Incident Response

Continuous Threat Exposure Management (CTEM)

AI Powered platform

Atlas Security Operations Platform

Extended Detection and Response (XDR)

Customer Portal

Platform Integrations

human led response

Security Operations Center (SOC)

Threat Response Unit (TRU)

Cyber Resilience Team

Response and Remediation

MDR Packages and 24/7 Protection

MDR Pricing and Packages

Atlas Essentials

Atlas Advanced

Atlas Complete

24/7 Coverage

Endpoint

Network

Log

Cloud

Identity

INDUSTRIES

Insurance

Construction

Finance

Legal

Manufacturing

Private Equity

Healthcare

Retail

Food Supply

Government and Education

Automotive Dealerships

USE CASES

Ransomware

Identity Response

Zero Day Attacks

Cybersecurity Compliance

Third-Party Risk

Cloud Misconfiguration

Cyber Risk

Do More With Less

Sensitive Data Security

Cyber Insurance

Cyber Threat Intelligence

Security Leadership

From The Blog

Unmasking Interlock Group's Evolving Malware Arsenal

Unpacking ShadowCoil’s (RansomHub Ex-affiliate) Credential Harvesting Tool

Cyber Stealer Analysis: When Your Malware Developer Has FOMO About…

Resources

Case Studies

Compare MDR Vendors

TRU Intelligence Center

Cybersecurity Tools

Videos

Reports

Webinars

Data Sheets

Real vs. Fake MDR

Blogs

Security Advisories

SECURITY ADVISORIES

Exploit Released for Critical FortiSIEM Vulnerability (CVE-2025-25256)

Direct Send Abuse Leading to Internal Phishing Attacks