SonicWall Says Malicious NetExtender Client Used to Steal VPN Credentials

The malicious application was designed to steal a user's VPN configuration, including their username, password, domain, and other information.

Written by David Delima | Updated: 26 June 2025 11:44 IST

Highlights

SonicWall has warned customers about a malicious version of its app
The modified version of NetExtender was used to steal VPN credentials
SonicWall and Microsoft have worked to block the spread of the malware

SonicWall Says Malicious NetExtender Client Used to Steal VPN Credentials

SonicWall has urged users to download the NetExtender app from its website

Photo Credit: Pexels/ Sora Shimazaki

SonicWall has issued an advisory that informs customers that a malicious version of its SonicWall SSL VPN NetExtender app is being used to steal VPN configuration and credentials. The company warns that threat actors have modified two files used by the NetExtender VPN application, which is used by several organisations to allow remote users to securely connect to the main network. Microsoft and SonicWall have taken measures to block the spread of the modified versions of the NetExtender application.

SonicWall NetExtender VPN Application Was Digitally Signed By Threat Actors

In a security advisory issued earlier this week, SonicWall said that it detected the modified version of the NetExtender SSL VPN application in collaboration with Microsoft Threat Intelligence (MSTIC). The malicious version of the app was hosted on a website that allowed users to download the trojanised version of the latest release, version 10.3.2.27.

The NetExtender application files modified by the threat actor
Photo Credit: SonicWall

According to the company, the threat actors digitally signed the trojanised version of the NetExtender app, which allowed it to bypass security checks on Windows. It was signed using a digital certificate issued to "CITYLIGHT MEDIA Private LIMITED".

Russian Malware Lostkeys Can Steal Your Files and Extract Sensitive Data

If a user downloaded the fake version of the SonicWall NetExtender VPN app, it would install two modified applications, "NeService.exe" and "NetExtender.exe". The threat actor's changes to the NeService.exe allowed them to bypass the digital certificate checks performed when the app is loaded.

Meanwhile, the modified NetExtender.exe application would collect details about the user's VPN configuration, including their username, password, domain, and other information. These would be sent to a remote server once the user clicked the Connect button.

SonicWall has updated its malware detection tool and will automatically block the malicious software after identifying it as GAV: Fake-NetExtender (Trojan). Microsoft's Windows Defender software will also detect the trojanised version of the app, which is categorised as "SilentRoute" Trojan ("TrojanSpy:Win32/SilentRoute.A")

LockBit Ransomware Group Gets Hacked, Extortion Tactics Exposed

The digital certificate used to sign the installer has also been revoked, and the companies worked to take down the websites that were being used to impersonate the NetExtended VPN application. Meanwhile, SonicWall has urged users to download the application from its website instead of using third party sources.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.