UNC6692 Crime Crew Uses Microsoft Teams Help Desk Impersonation and Custom Snow Malware in Data-Theft Campaign
Google's Threat Intelligence Group has identified a new threat group, UNC6692, that combines help desk impersonation via Microsoft Teams with a custom modular malware ecosystem dubbed 'Snow' to steal credentials and establish persistent backdoor access.
Google's Threat Intelligence Group (GTIG) has uncovered a sophisticated cybercrime campaign conducted by a previously unknown threat group tracked as UNC6692. The operation, first detected in late December 2025, combines classic social engineering with a custom modular malware ecosystem named 'Snow' to steal credentials, establish persistent backdoor access, and exfiltrate data from targeted organizations.
The attack begins with a large-scale email spam campaign that floods target organizations with an overwhelming volume of email traffic. Shortly after, an attacker posing as help desk personnel contacts the victim via Microsoft Teams, offering assistance with the email deluge. The fake help desk worker directs the victim to click a link that supposedly installs a local patch to stop the spam, but the link leads to a landing page masquerading as a 'Mailbox Repair Utility.'
The phishing page features a 'Health Check' button that prompts users to authenticate with their email and password. GTIG researchers noted a particularly insidious 'double-entry' psychological trick: the script automatically rejects the first and second password attempts the second password as incorrect. 'This serves two functions: it reinforces the user's belief that the system is legitimate and performs real-time validation, and it ensures that the attacker captures the password twice, significantly reducing the risk of a typo in the stolen data,' the researchers explained.
After harvesting credentials, the phishing page performs a fake mailbox integrity check to keep the victim engaged while credentials and metadata are exfiltrated to an attacker-controlled Amazon S3 bucket. Simultaneously, staged files begin downloading onto the victim's machine. The first stage deploys an AutoHotKey binary and script that performs reconnaissance and installs a malicious Chromium browser extension called SnowBelt, which is not available through the Chrome Web Store.
UNC6692's custom malware operates as a modular ecosystem with three primary components: SnowBelt, SnowGlaze, and SnowBasin. SnowBelt is a JavaScript-based backdoor delivered as a Chromium browser extension that provides initial foothold and persistence, often hiding behind names like 'MS Heartbeat' or 'System Heartbeat.' SnowGlaze is a Python-based tunneler that creates an authenticated WebSocket tunnel between the victim's internal network and attacker C2 infrastructure, disguising traffic as legitimate encrypted web traffic. SnowBasin is a Python bindshell that serves as a persistent backdoor, allowing remote command execution, screenshot capture, and data staging for exfiltration.
Google analysts confirmed to The Register that there is no overlap between UNC6692 and other known groups using similar social engineering tactics, such as ShinyHunters or Scattered Lapsus$ Hunters. The campaign follows a recent warning from Microsoft about criminals abusing Microsoft Teams communications and impersonating help desk personnel, though Google's researchers stated the two campaigns do not appear to be related. The discovery serves as a stark reminder of the increasing sophistication of cybercriminals who combine convincing social engineering with legitimate cloud services and custom malware to breach organizational defenses.