UNC6692 Leverages Microsoft Teams Impersonation for SNOW Malware Deployment
The UNC6692 threat group is employing a sophisticated social engineering tactic, using Microsoft Teams to impersonate IT helpdesk staff and trick users into downloading their SNOW malware.

A newly identified threat group, designated UNC6692, has been observed employing a novel and highly effective social engineering strategy that weaponizes Microsoft Teams for initial access and malware deployment. This campaign bypasses traditional email-based phishing by directly engaging victims within a trusted collaboration platform, impersonating IT support personnel.
The attack chain begins with a preliminary wave of spam emails designed to create a sense of urgency and chaos for the targeted individuals. Shortly after, an attacker, posing as an IT helpdesk agent, reaches out via Microsoft Teams, offering a solution to the very problem they created. This staged approach leverages the victim's trust in internal support channels, making them more susceptible to the subsequent instructions.
Once a victim accepts the external Teams invitation, the attacker guides them to download a seemingly legitimate file, presented as a patch or fix. This file, however, is a renamed AutoHotkey binary accompanied by a script, both downloaded from an attacker-controlled cloud storage bucket. The execution of this script initiates the deployment of the SNOW malware toolkit.
The SNOW malware suite is a modular and layered ecosystem designed for persistence and stealth. It includes a malicious browser extension named SNOWBELT, which can survive system restarts, and a Python-based tunneling utility, SNOWGLAZE, that facilitates SOCKS5 traffic to mask command and control communications. Additionally, a local HTTP backdoor, SNOWBASIN, provides a direct channel for attackers to issue commands and exfiltrate data.
UNC6692's operational methodology emphasizes patience and stealth. After gaining initial access, the group meticulously moves through compromised systems, focusing on credential harvesting, internal network reconnaissance, and lateral movement before executing any actions that might trigger security alerts. The use of legitimate cloud services and familiar Windows features for command and control makes detection by standard network monitoring tools exceptionally difficult.
Security teams are advised to monitor for unusual browser extension installations, scheduled tasks that launch Microsoft Edge in headless mode, and unexpected outbound network connections. Organizations can mitigate this threat by restricting external chat permissions on Microsoft Teams, training employees to be wary of unsolicited helpdesk outreach, and implementing stricter controls around file sharing and remote assistance requests.
The campaign highlights a growing trend where threat actors are adapting their tactics to exploit the increasing reliance on digital collaboration tools. By blending into routine IT support interactions, UNC6692 effectively turns a trusted platform into a vector for deep system compromise, underscoring the need for enhanced user awareness and robust endpoint security measures.
Indicators of Compromise (IoCs) associated with this campaign include the AutoHotkey binary and script, the SNOWBELT browser extension, the SNOWGLAZE tunneling utility, the SNOWBASIN backdoor, and the use of attacker-controlled AWS S3 buckets for payload delivery and cloud storage for exfiltrating sensitive data, such as Active Directory databases.