Key Takeaways
- Threat cluster UNC6692 uses a two‑stage social‑engineering lure: flood the victim’s inbox with spam, then pose as IT help desk on Microsoft Teams.
- The attack convinces users to click a phishing link that downloads an AutoHotkey script from an attacker‑controlled AWS S3 bucket.
- The script delivers the SNOW malware suite—SNOWBELT (Chromium extension), SNOWGLAZE (Python tunnel), and SNOWBASIN (persistent backdoor)—enabling credential theft, lateral movement, and data exfiltration.
- UNC6692 heavily favors senior‑level employees; 77 % of observed incidents from March‑April 2026 targeted executives, up from 59 % earlier in the year.
- The campaign abuses legitimate cloud services (AWS S3) for payload delivery, command‑and‑control, and exfiltration, helping it evade reputation‑based defenses.
- Defenders should treat collaboration platforms as critical attack surfaces, enforce help‑desk verification, restrict external Teams interactions, and monitor PowerShell/WebSocket abuse.
Overview of UNC6692 Activity
UNC6692 is a previously undocumented threat group observed leveraging social engineering through Microsoft Teams to deploy a custom malware suite. The attackers first inundate a target’s email inbox with a high volume of spam, creating a sense of urgency that makes the recipient more likely to accept assistance. Following this email bombardment, they initiate a Teams chat impersonating an IT help‑desk employee, offering to resolve the fabricated email‑bombing issue. This approach mirrors tactics historically used by former Black Basta affiliates, indicating a durable playbook that persists even after the original ransomware group ceased operations.
Initial Contact and Social‑Engineering Flow
The typical interaction begins with the victim receiving a flood of spam emails, often resembling legitimate business communications. Within seconds—sometimes as little as 29 seconds— a Teams message arrives from an external account posing as internal IT support. The message claims to address the spam problem and urges the user to accept a remote‑assistance session or click a provided link. By exploiting the inherent trust users place in official‑looking help‑desk communications, UNC6692 gains a foothold without needing to bypass technical defenses at the outset.
Phishing Link and AutoHotkey Payload Delivery
Unlike the help‑desk impersonation that leads to legitimate RMM tools, UNC6692’s chain directs the victim to a phishing link shared in the Teams chat. The link presents a page titled “Mailbox Repair and Sync Utility v2.1.5,” which prompts the user to download a patch for the supposed spam issue. Clicking the link triggers the download of an AutoHotkey script hosted on an attacker‑controlled AWS S3 bucket. The script includes a gatekeeper function that checks the environment, ensuring the payload runs only on intended targets and evades detection by automated sandboxes.
Browser Fingerprinting and SNOWBELT Deployment
The AutoHotkey script performs reconnaissance on the victim’s system, specifically checking whether Microsoft Edge is the active browser. If Edge is not detected, a persistent overlay warns the user to switch browsers, thereby guiding the victim toward the attacker’s preferred environment. When Edge is present, the script launches the browser in headless mode with the “–load-extension” switch, installing a malicious Chromium‑based extension dubbed SNOWBELT. This extension acts as a JavaScript‑backdoor that receives commands from the attacker and relays them to other components of the SNOW framework.
The SNOW Malware Ecosystem
UNC6692’s toolkit consists of three tightly integrated modules. SNOWBELT handles command‑and‑control communication, receiving instructions and forwarding them to SNOWBASIN. SNOWGLAZE is a Python‑based tunneler that establishes an authenticated WebSocket tunnel between the compromised host and the attacker’s C2 server, allowing stealthy data exfiltration and ingress of additional payloads. SNOWBASIN operates as a persistent backdoor, listening on local ports 8000‑8002, capable of executing commands via cmd.exe or PowerShell, capturing screenshots, uploading/downloading files, and self‑terminating when needed. Together, these components provide a flexible platform for post‑exploitation activities.
Post‑Exploitation Tactics: Lateral Movement and Credential Theft
After establishing the SNOW framework, UNC6692 conducts internal reconnaissance using a Python script that scans for common Windows services (ports 135, 445, 3389). Leveraging the SNOWGLAZE tunnel, the attackers establish a PsExec session to move laterally and initiate RDP connections to backup servers. They then utilize a local administrator account to dump the LSASS process memory via Windows Task Manager, harvesting password hashes. Applying the Pass‑The‑Hash technique, they authenticate to domain controllers, deploy FTK Imager to capture the Active Directory database, store it in the \Downloads folder, and exfiltrate it using the LimeWire file‑upload tool. These steps enable deep network penetration and the theft of high‑value credentials.
Abuse of Cloud Services for Stealth
A hallmark of UNC6692’s operation is the systematic use of legitimate cloud infrastructure. Malicious components—the AutoHotkey script, SNOW malware binaries, and exfiltrated data—are hosted on AWS S3 buckets that appear benign to reputation‑based filters. By blending malicious traffic with the high volume of legitimate cloud communications, the group reduces the likelihood of detection by network‑level security controls. This abuse of trusted services also simplifies command‑and‑control, as the attackers can rely on scalable, resilient cloud endpoints without maintaining their own servers.
Related Threat Landscape and Defensive Recommendations
Similar help‑desk impersonation campaigns have been observed by other security firms, such as Cato Networks’ PhantomBackdoor operation, which also uses Microsoft Teams to lure victims into executing obfuscated PowerShell scripts that establish WebSocket backdoors. These parallels underscore a broader trend: collaboration platforms are becoming prime attack surfaces. Organizations should therefore enforce strict verification workflows for any help‑desk interaction, limit external Teams communication and screen‑sharing capabilities, and monitor PowerShell and WebSocket usage for anomalous behavior. Additionally, deploying endpoint detection that inspects AutoHotkey execution, browser extension installations, and unconventional cloud traffic can help uncover UNC6692‑style intrusions before they achieve full network domination.