UNC6692 Impersonates IT Helpdesk via Microsoft Teams to Deploy SNOW Malware
UNC6692 كايستغل Microsoft Teams بانتحال صفة IT Helpdesk باش ينشر Malware "SNOW"
UNC6692 Exploits Microsoft Teams via Helpdesk Impersonation to Deploy SNOW Malware
TL;DR
A newly identified threat cluster, UNC6692, is using "email bombing" to overwhelm victims before impersonating IT support on Microsoft Teams. They trick targets into installing the "SNOW" malware suite via a fake repair utility, enabling credential harvesting, lateral movement, and data exfiltration.
The Rise of UNC6692
Security researchers at Mandiant (owned by Google) have identified a sophisticated new threat activity cluster labeled UNC6692. This group utilizes a multi-stage social engineering playbook designed to exploit the inherent trust employees place in internal IT departments and enterprise collaboration tools like Microsoft Teams.
The campaign is characterized by its use of custom malware—specifically the "SNOW" suite—and its focus on high-value targets within corporate environments.
The Attack Chain: From Inbox Storm to Teams Chat
The attack begins not with a virus, but with a psychological tactic known as email bombing. UNC6692 floods a target's inbox with a massive volume of spam, creating a sense of urgency and technical frustration.
- The Approach: Once the inbox is overwhelmed, the threat actor contacts the victim via Microsoft Teams. The attacker uses an account from outside the organization but impersonates a member of the IT helpdesk, offering to help resolve the "spam issue."
- The Phishing Link: Unlike previous groups that favored remote desktop tools like Quick Assist, UNC6692 directs victims to a phishing page titled "Mailbox Repair and Sync Utility v2.1.5."
- The Payload: Clicking the link downloads an AutoHotkey script from an AWS S3 bucket. A "gatekeeper" script ensures the payload only launches on intended targets, avoiding automated security sandboxes.
The SNOW Malware Suite
If the victim is using the Microsoft Edge browser, the attacker deploys a modular malware ecosystem referred to as "SNOW." This suite consists of three primary components:
- SNOWBELT: A JavaScript-based browser extension (backdoor) for the Chromium-based Edge browser. It receives commands and coordinates with other modules.
- SNOWGLAZE: A Python-based tunneling utility that creates an authenticated WebSocket tunnel between the victim’s internal network and the attacker's Command-and-Control (C2) server.
- SNOWBASIN: A persistent backdoor that enables remote command execution (via PowerShell or cmd.exe), file transfers, and screenshot captures. It functions as a local HTTP server.
In addition to malware delivery, the phishing page features a "Health Check" button. When clicked, it prompts the user for their mailbox credentials, which are then exfiltrated to an Amazon S3 bucket.
Lateral Movement and Data Theft
Once initial access is established via the SNOW suite, UNC6692 engages in aggressive post-exploitation activities to compromise the wider network:
- Network Scanning: Attackers use Python scripts to scan for open ports (135, 445, 3389) to identify targets for lateral movement.
- Privilege Escalation: By extracting LSASS process memory through Windows Task Manager, the group attempts to obtain administrative credentials.
- Domain Compromise: Using Pass-The-Hash techniques, the group moves toward domain controllers.
- Data Exfiltration: The group leverages FTK Imager to capture sensitive databases (such as Active Directory files) and uses the LimeWire file upload tool for exfiltration.
A Growing Trend in Executive Targeting
Data from ReliaQuest supports the severity of this trend, noting that between March and April 2026, 77% of these helpdesk-themed attacks targeted senior-level employees and executives, up from 59% earlier in the year.
By hosting malicious components on trusted cloud platforms like AWS, UNC6692 effectively bypasses traditional network filters, as the traffic appears legitimate to most security systems.
Conclusion
The emergence of UNC6692 demonstrates that social engineering remains one of the most effective tools in a threat actor's arsenal. By combining high-pressure tactics (email bombing) with trusted communication platforms (Microsoft Teams), attackers can bypass technical defenses and manipulate users into installing sophisticated custom malware. Organizations are encouraged to tighten external communication controls in Teams and implement strict verification workflows for IT support requests.
Source: https://thehackernews.com/2026/04/unc6692-impersonates-it-helpdesk-via.html
