UNC6692 Impersonates IT Help Desk Impersonation via Microsoft Teams to Deploy SNOW Malware Suite

Mandiant has uncovered a previously undocumented threat activity cluster, UNC6692, that is leveraging sophisticated social engineering tactics via Microsoft Teams to deploy a custom malware suite on compromised hosts. The campaign, detailed in a report published today, relies heavily on impersonating IT help desk employees to trick victims into accepting a Teams chat invitation from an account outside their organization.

The attack chain begins with a large email campaign designed to overwhelm a target's inbox with a flood of spam emails, creating a false sense of urgency. The threat actor then approaches the target over Microsoft Teams, claiming to be from the IT support team and offering assistance with the email bombing problem. This combination of email bombing followed by Teams-based help desk impersonation has been a tactic long embraced by former Black Basta affiliates, and despite the group shutting down its ransomware operations early last year, the playbook continues to be effective.

According to Mandiant, the goal of the conversation is to trick victims into clicking a phishing link shared via Teams chat to install a local patch to remediate the spam issue. Once clicked, it leads to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket. The phishing page is named "Mailbox Repair and Sync Utility v2.1.5." The script is designed to perform initial reconnaissance and then install SNOWBELT, a malicious Chromium-based browser extension on the Edge browser by launching it in headless mode with the "--load-extension" command line switch.

The SNOW malware ecosystem is a modular toolkit that works together to facilitate the attacker's goals. SNOWBELT is a JavaScript-based backdoor that receives commands and relays them to SNOWBASIN for execution. SNOWGLAZE is a Python-based tunneler that creates a secure, authenticated WebSocket tunnel between the victim's internal network and the attacker's command-and-control (C2) server. SNOWBASIN operates as a persistent backdoor to enable remote command execution via "cmd.exe" or "powershell.exe," screenshot capture, file upload/download, and self-termination.

Post-exploitation actions carried out by UNC6692 include using a Python script to scan the local network for ports 135, 445, and 3389 for lateral movement, establishing a PsExec session to the victim's system via the SNOWGLAZE tunneling utility, and initiating an RDP session via the SNOWGLAZE tunnel from the victim system to a backup server. The attackers also utilize a local administrator account to extract the system's LSASS process memory with Windows Task Manager for privilege escalation and use the Pass-The-Hash technique to move laterally to the network's domain controllers.

The campaign has been observed targeting senior employees, with 77% of incidents from March to April 2026 hitting executives. This targeting pattern aligns with a separate report from ReliaQuest, which revealed that the approach is being used to target executives and senior-level employees for initial access into corporate networks for potential data theft, lateral movement, ransomware deployment, and extortion. In some cases, chats were initiated just 29 seconds apart.

Mandiant emphasizes that the UNC6692 campaign demonstrates an interesting evolution in tactics, particularly the use of social engineering, custom malware, and a malicious browser extension, playing on the victim's inherent trust in several different enterprise software providers. A critical element of this strategy is the systematic abuse of legitimate cloud services for payload delivery and exfiltration, and for command-and-control infrastructure. By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic.