UNC6692 Impersonates IT Helpdesk Using Microsoft Teams to Install SNOW Malware
A collection of previously undocumented threat activity known as UNC6692 has been observed using social engineering tactics through Microsoft Teams to deploy an automated malware program on vulnerable hosts.
“Like many other criminals in recent years, UNC6692 relies heavily on impersonating IT help desk workers, convincing their victims to accept a Microsoft Teams chat invitation from an account outside their organization,” Google-owned Mandiant said in a report published today.
UNC6692 has been attributed to a massive email campaign designed to flood a target’s inbox with a barrage of spam, creating a false sense of urgency. The malicious actor then approaches the target in Microsoft Teams by sending a message claiming to be from the IT support team to provide assistance with the email bombing problem.
It is worth noting that this combination of hacking a victim’s email inbox followed by a Microsoft Teams-based help desk simulation has long been a tactic adopted by ex-Black Basta members. Despite the group shutting down its ransomware operations early last year, the playbook shows no signs of slowing down.
In a report published last week, ReliaQuest revealed that this method is used to target managers and high-level employees to gain initial access to corporate networks that may be used for data theft, lateral movement, ransomware, and fraud. In some cases, conversations were initiated as little as 29 seconds apart.
The goal of the chat is to trick victims into installing legitimate remote monitoring and management (RMM) tools like Quick Assist or Supremo Remote Desktop to enable functional access, and then use it to drop additional payloads.
“From March 1 to April 1, 2026, 77% of the incidents observed targeted employees in senior positions, up from 59% in the first two months of 2026,” said ReliaQuest researchers John Dilgen and Alexa Feminella. “This work shows that the tactics of a dangerous group can outlive the group itself.”
On the other hand, the attack chain described by Mandiant deviates from this approach as the victim is instructed to click on a phishing link shared through a Groups chat to install a local patch to fix the spam issue. Once clicked, it leads to the download of an AutoHotkey script to an AWS S3 bucket controlled by the threat actor. The phishing page is titled “Mailbox Fix and Sync Usage v2.1.5.”
The script is designed to perform an initial check, then install SNOWBELT, a malicious Chromium-based browser extension, into the Edge browser by running it in headless mode with the command line switch “–load-extension”.
“The attacker used a gatekeeper script designed to ensure that the payload is only delivered to the target while avoiding automated security sandboxes,” said Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelley and Muhammad Umair.
“The script also checks the victim’s browser. If the user is not using Microsoft Edge, the page displays a persistent overlay warning. Using the SNOWBELT extension, UNC6692 downloaded additional files including SNOWGLAZE, SNOWBASIN, AutoHotkey scripts, and a ZIP archive containing a portable and functional Python.”
The phishing page is also designed to facilitate the Configuration Control Panel with a prominent “Check Health” button that, when clicked, prompts users to enter their mailbox credentials for apparent authentication purposes, but, in fact, is used to harvest and extract data from another Amazon S3 bucket.
The SNOW malware ecosystem is a toolkit that works together to target an attacker. While SNOWBELT is a JavaScript-based backdoor that receives commands and forwards them to SNOWBASIN for execution, SNOWGLAZE is a Python-based tunnel to create a secure, authenticated WebSocket tunnel between the victim’s internal network and the attacker’s command and control (C2) server.
The third component is SNOWBASIN, which acts as a persistent backdoor to enable remote command execution via “cmd.exe” or “powershell.exe,” screenshot capture, file upload/download, and self-termination. It acts as a local HTTP server on ports 8000, 8001, or 8002.
Some of the post-exploitation actions performed by UNC6692 after gaining initial access are as follows –
- Use a Python script to scan the local network for ports 135, 445, and 3389 for parallel traffic, establish a PsExec session on the victim system using the SNOWGLAZE tunneling utility, and start an RDP session through the SNOWGLAZE tunnel from the victim system to the backup server.
- Use a local administrator account to remove the memory of the LSASS process through Windows Task Manager to elevate privileges.
- Use the Pass-The-Hash method to bypass network domain controllers using suggested user password hashes, download and use FTK Imager to capture sensitive data (eg, an Active Directory database file) and write it to the Downloads folder, and extract it using the LimeWire file upload tool.
“The UNC6692 campaign shows an interesting shift in tactics, particularly the use of social engineering, customized malware, and a malicious browser extension, playing on the victim’s natural trust in different business software providers,” the tech giant said.
“A key aspect of this strategy is the systematic abuse of legitimate cloud services for payload delivery and release, as well as command and control (C2) infrastructure. By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and interact with high volumes of legitimate cloud traffic.”
The disclosure comes as Cato Networks details a phishing campaign that uses a similar help desk simulation in Microsoft Teams to guide victims into executing a WebSocket-based Trojan called PhantomBackdoor via an obfuscated PowerShell script found on an external server.
“This incident shows how help desk impersonation delivered through a Microsoft Teams meeting can replace phishing and still lead to the same result: a planned PowerShell execution followed by a WebSocket backdoor,” the cybersecurity firm said.
“Defenders should treat collaboration tools as first-tier attack surfaces by enforcing desktop authentication workflows, strengthening external Teams and screen sharing controls, and hardening PowerShell.”
