top of page
perceptive_background_267k.jpg

UNC6692 Impersonates IT Helpdesk via Microsoft Teams to Deploy SNOW Malware

Published:

23 April 2026 at 18:16:00

Alert date:

23 April 2026 at 19:01:54

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Email & Messaging, Enterprise Applications

UNC6692 threat actor conducts social engineering attacks by impersonating IT helpdesk employees via Microsoft Teams. The group convinces victims to accept chat invitations from fake accounts to deploy custom SNOW malware suite. This represents a novel use of enterprise collaboration platforms for initial access and malware deployment.

Technical details

UNC6692 uses social engineering via Microsoft Teams by first overwhelming victims with email spam campaigns, then contacting them as fake IT helpdesk to offer assistance. Victims are tricked into clicking phishing links that download AutoHotkey scripts from AWS S3 buckets. The attack deploys the SNOW malware suite including SNOWBELT (JavaScript-based backdoor browser extension for Edge), SNOWGLAZE (Python-based WebSocket tunneler), and SNOWBASIN (persistent backdoor with HTTP server on ports 8000-8002). The malware enables remote command execution, screenshot capture, file upload/download, network scanning for ports 135/445/3389, lateral movement via PsExec and RDP, LSASS memory extraction, Pass-The-Hash attacks, and data exfiltration using FTK Imager and LimeWire.

Mitigation steps:

Enforce help desk verification workflows, tighten external Teams and screen-sharing controls, harden PowerShell execution, treat collaboration tools as first-class attack surfaces, implement network reputation filters for cloud traffic monitoring, monitor for suspicious browser extension installations, watch for unusual HTTP server activity on ports 8000-8002, detect LSASS memory extraction attempts, monitor for Pass-The-Hash attack indicators, and implement controls for external Teams chat invitations.

Affected products:

Microsoft Teams
Microsoft Edge
Quick Assist
Supremo Remote Desktop
Windows Task Manager
FTK Imager
LimeWire
AWS S3

Related links:

https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/
https://thehackernews.com/2025/06/former-black-basta-members-use.html
https://reliaquest.com/blog/threat-spotlight-are-former-black-basta-affiliates-automating-executive-targeting/
https://thehackernews.com/2023/04/new-rilide-malware-targeting-chromium.html
https://thehackernews.com/2025/10/ukraine-aid-groups-targeted-through.html
https://www.catonetworks.com/blog/cato-ctrl-vishing-and-microsoft-teams-used-deliver-phantombackdoor/

Related CVE's:

Related threat actors:

IOC's:

Mailbox Repair and Sync Utility v2.1.5, SNOWBELT browser extension, SNOWGLAZE tunneler, SNOWBASIN backdoor, HTTP servers on ports 8000, 8001, 8002, Network scans on ports 135, 445, 3389, AutoHotkey scripts from AWS S3 buckets, PhantomBackdoor trojan, WebSocket-based communications

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page