Trojanized SonicWall NetExtender Targets VPN Users For Credential Theft

HomeNews* Attackers spread a trojanized version of SonicWall‘s NetExtender VPN app to steal login credentials.

• The fake software, called SilentRoute, is distributed from a spoofed website and is digitally signed to appear genuine.
• Malicious code in the installer sends captured VPN configuration details—including usernames and passwords—to a remote server.
• Another campaign, known as EvilConwi, abuses ConnectWise signatures to deliver remote access Malware through phishing and fake sites.
• Both threats use trusted signatures and misleading visuals to deceive users and bypass common security checks. Unknown attackers have distributed a trojan-infected version of the SonicWall NetExtender SSL VPN application to capture user credentials. The tampered installer, discovered in June 2025, has been disguised as the official version and was distributed through a fake website that has since been shut down.

• Advertisement - According to SonicWall researcher Sravan Ganachari, the legitimate NetExtender app allows remote users to access company network resources securely. The company, working with Microsoft, identified the malicious variant—codenamed SilentRoute—which collects sensitive VPN configuration information from users.

The threat actor added code in the installed binaries of the fake NetExtender so that information related to VPN configuration is stolen and sent to a remote server, Ganachari said. The manipulated installer—signed by CITYLIGHT MEDIA PRIVATE LIMITED—bypasses digital certificate checks. When a user enters their VPN credentials and clicks "Connect," the malware transmits details like username, password, and domain to a remote server over the internet.

The spread of this rogue software likely targeted users who searched for the NetExtender app on search engines, leading them to phishing sites through tactics such as search engine optimization, malvertising, or social media links. Investigators found that the altered installer contained two key components, "NeService.exe" and "NetExtender.exe," which were both modified for data theft and certificate validation bypass.

Meanwhile, a separate campaign described by German company G DATA has abused ConnectWise software signatures, in an activity group dubbed EvilConwi. Attackers used a method called Authenticode stuffing—which adds malicious code without breaking the program’s trusted digital signature. This method allowed threats to go undetected by using legitimate-seeming software processes.

These attacks start with phishing emails leading to fake downloads. Malicious software implants spyware under the cover of familiar brands, sometimes displaying fake Windows update screens to keep users from shutting down their computers. Security researcher Karsten Hahn noted that attackers used fake AI tool promotions and misleading update visuals to trick users and keep their systems vulnerable to remote access.

Both campaigns relied on known security workarounds, allowing attackers to gather user data while minimizing detection by standard security tools.

• Advertisement - #### Previous Articles:

• Republic to Offer Mirror Tokens Tracking SpaceX, Anthropic to Retail Investors
• Bitcoin Surges to $107K as Fed Rate Cut Hopes, Geopolitical Fears Ease
• CoinDesk 20 Index Rises 0.5% as BCH, SOL Lead; APT, AAVE Lag
• Pro-Iran Hacktivists Leak Saudi Games Athlete, Visitor Data Online
• Hana Bank Joins Korean Stablecoin Consortium, Files Trademark

• Advertisement -