UNC4540, a China-linked cybercriminal group, was observed deploying a custom backdoor on a SonicWall SMA appliance. Attackers show a thorough understanding of the appliance and use a set of malicious files to obtain privileges. The malware is capable of extracting credentials, achieving persistence through firmware upgrades, and remotely executing code.