Unknown threat actors have been distributing a trojanized version of SonicWall’s SSL VPN NetExtender application to steal credentials from unsuspecting users who may have installed it.
“NetExtender enables remote users to securely connect and run applications on the company network,” SonicWall researcher Sravan Ganachari said. “Users can upload and download files, access network drives, and use other resources as if they were on the local network.”
The malicious payload delivered via the rogue VPN software has been codenamed SilentRoute by Microsoft, which detected the campaign along with the network security company.
SonicWall said the malware-laced NetExtender impersonates the latest version of the software (10.3.2.27) and has been found to be distributed via a fake website that has since been taken down. The installer is digitally signed by CITYLIGHT MEDIA PRIVATE LIMITED.”
These include “NeService.exe” and “NetExtender.exe,” which have been altered to bypass the validation of digital certificates various NetExtender components and continue execution regardless of the validation results and exfiltrate the information to 132.196.198[.]163 over port 8080.
“The threat actor added code in the installed binaries of the fake NetExtender so that information related to VPN configuration is stolen and sent to a remote server,” Ganachari said.
Threat Actors Abuse ConnectWise Authenticode Signatures
The development comes as G DATA detailed a threat activity cluster dubbed EvilConwi that involves bad actors abusing ConnectWise to embed malicious code using a technique called authenticode stuffing without invalidating the digital signature.
The German cybersecurity company said it has observed a spike in attacks using this technique since March 2025. The infection chains primarily leverage phishing emails as an initial access vector or through bogus sites advertised as artificial intelligence (AI) tools on Facebook.
What makes EvilConwi notable is that it offers malicious actors a cover for nefarious operations by conducting them using a trusted, legitimate, and maybe elevated system or software process, thereby allowing them to fly under the radar.
“By modifying these settings, threat actors create their own remote access malware that pretends to be a different software like an AI-to-image converter by Google Chrome,” security researcher Karsten Hahn said. “They commonly add fake Windows update images and messages too, so that the user does not turn off the system while threat actors remotely connect to them.”
