Trojanized SonicWall VPN Client Circulates in Credential Theft Campaign
SonicWall has issued an urgent warning regarding a newly uncovered attack where threat actors are distributing a trojanized version of its NetExtender SSL VPN client. This modified client is being used to steal VPN credentials from unsuspecting users across various industries.
The compromised software closely mimics SonicWall’s legitimate NetExtender version 10.3.2.27. Although it is not digitally signed by SonicWall itself, the malicious installer is signed by an entity called “CITYLIGHT MEDIA PRIVATE LIMITED,” enabling it to bypass basic trust validations in some environments.
A Fake Website Hosting a Real Threat
The fraudulent NetExtender installer is being distributed through spoofed websites that convincingly mimic SonicWall’s official portals. These sites deceive users into thinking they are downloading authentic software when in fact they are installing spyware designed to extract sensitive VPN information.
The attacker’s objective is straightforward: exfiltrate VPN configuration details and login credentials to a remote command-and-control server. This includes the username, password, domain, and other session-related data.
“Once the VPN configuration details are entered and the ‘Connect’ button is clicked, the malicious code performs its own validation before sending the data to the remote server,” SonicWall confirmed in an official advisory.
What the Modified Binaries Do
SonicWall and Microsoft’s joint analysis revealed two tampered components in the fake client:
- NeService.exe, modified to bypass digital certificate checks.
- NetExtender.exe, embedded with code to capture and send login details.
The stolen data is routed to an attacker-controlled server located at IP address 132.196.198.163 over port 8080. This stealthy redirection occurs after the user initiates a VPN connection, believing they are securely accessing their company’s network.
Who Is at Risk?
SonicWall NetExtender is widely used across small to medium businesses, particularly by remote workers, IT administrators, and contractors. Its integration with SonicWall SSL VPN appliances and firewalls makes it a critical piece of secure remote infrastructure—precisely why attackers are targeting it.
Spoofed software downloads are being pushed through various channels including malvertising, SEO poisoning, direct messages, social media platforms, and even video content on YouTube and TikTok. These tactics ensure broad visibility and increase the chances of successful infection.
Preventive Measures for Enterprises
SonicWall strongly advises users to only download software from the official SonicWall websites—sonicwall.com and mysonicwall.com. Both SonicWall’s native tools and Microsoft Defender now detect and block the trojanized installer. However, third-party antivirus tools may not yet recognize the threat.
Enterprise organizations are urged to:
- Avoid downloading VPN clients from search results or promoted links.
- Always verify digital signatures on executable files.
- Scan all installer files with updated antivirus software before execution.
With VPN access forming the backbone of secure remote work, any compromise can lead to severe data breaches, lateral movement, and operational disruption.
