Key Findings

• UNC6692 is a previously undocumented threat group using Microsoft Teams to impersonate IT helpdesk staff and deploy custom SNOW malware

• Attack chain begins with email bombing campaigns followed by Teams-based social engineering to build false urgency

• Victims are tricked into clicking phishing links that download AutoHotkey scripts deploying SNOWBELT browser extension

• SNOW malware ecosystem is modular, including SNOWBELT backdoor, SNOWGLAZE tunneler, and SNOWBASIN remote access tool

• Post-exploitation activity includes lateral movement via PsExec, credential harvesting, Pass-The-Hash attacks, and sensitive data exfiltration

• Tactic mirrors abandoned Black Basta playbook, demonstrating effectiveness outlives original threat groups

Background

Mandiant identified UNC6692 after tracking a campaign that combines email bombing with Microsoft Teams-based helpdesk impersonation. The approach has proven effective enough that even after Black Basta shut down ransomware operations last year, other threat actors continue using the same playbook. ReliaQuest research shows the tactic is increasingly targeting senior-level employees for initial network access, with incidents against executives rising from 59% to 77% between early 2026 and April 2026.

Attack Methodology

UNC6692's infection chain starts by overwhelming a target's email inbox with spam. The threat actor then contacts the victim via Microsoft Teams, posing as IT support and offering to help with the email problem. The victim is sent a phishing link claiming to be a "Mailbox Repair and Sync Utility v2.1.5" patch download. Clicking the link triggers an AutoHotkey script download from a threat actor-controlled AWS S3 bucket. The attackers use gatekeeper scripts to ensure payloads only reach intended targets while evading security sandboxes and checking that victims are using Microsoft Edge.

SNOW Malware Components

SNOWBELT functions as a JavaScript-based backdoor that receives attacker commands and forwards them to SNOWBASIN for execution. SNOWGLAZE is a Python-based tunneler that establishes secure, authenticated WebSocket connections between the victim's internal network and the attacker's command-and-control server. SNOWBASIN operates as a persistent backdoor enabling remote command execution through cmd.exe or powershell.exe, screenshot capture, file upload and download, and self-termination capabilities. It runs as a local HTTP server on ports 8000, 8001, or 8002.

Credential Harvesting

The phishing page displays a Configuration Management Panel with a "Health Check" button. When clicked, users are prompted to enter mailbox credentials under the pretense of authentication. Instead, these credentials are harvested and exfiltrated to another Amazon S3 bucket controlled by the attackers, giving them legitimate access to compromised accounts.

Post-Exploitation Activities

Once inside the network, UNC6692 executes reconnaissance scans targeting ports 135, 445, and 3389 for lateral movement opportunities. The group establishes PsExec sessions and initiates RDP connections through SNOWGLAZE tunnels. For privilege escalation, attackers extract the LSASS process memory using Windows Task Manager. They leverage Pass-The-Hash techniques with elevated user credentials to move laterally to domain controllers, then deploy FTK Imager to capture sensitive data including Active Directory databases, writing results to accessible folders like Downloads.

Sources

• https://thehackernews.com/2026/04/unc6692-impersonates-it-helpdesk-via.html

• https://www.socdefenders.ai/item/74a4d24e-0a5c-4e97-97f3-3dab65c66a49

• https://x.com/LifeboatHQ/status/2047537481415835667

• https://xploitzone.com/unc6692-teams-snow-malware-attack/

• https://www.reddit.com/r/SecOpsDaily/comments/1sts3d2/unc6692_impersonates_it_helpdesk_via_microsoft/