UNC6692 Campaign Utilizes SNOW Malware for Multi-Stage Attacks

UNC6692 Campaign Utilizes SNOW Malware for Multi-Stage Attacks

First seen 11 Jul 2026, 02:08 UTC GbhackersSocprime 81% similarity 69.0

Article Content

Browse articles
ThreatCluster

The UNC6692 threat actor has launched a sophisticated multi-stage campaign utilizing the SNOW malware ecosystem. This operation employs social engineering tactics, including email bombing and Microsoft Teams impersonation, to create urgency and trust among victims. The attack vector involves delivering malicious payloads through AWS S3 buckets, leading to the compromise of a Domain Controller and exfiltration of sensitive data, including the NTDS.dit database. Key components of the SNOW toolkit include browser extensions, Python-based tunneling utilities, and backdoors. Security teams are advised to restrict external Microsoft Teams access, monitor AWS S3 activity, and audit browser extensions. Immediate isolation of affected systems and review of administrative sessions are recommended to prevent further lateral movement. The campaign highlights the growing trend of combining traditional phishing techniques with modern collaboration tools.

Key Points: • UNC6692 employs multi-stage social engineering tactics to deliver SNOW malware. • The attack leads to the compromise of Domain Controllers and sensitive data exfiltration. • Defenders should implement strict access controls and monitor unusual activity to mitigate risks.

ThreatCluster AI

Timeline

2026-07-09
UNC6692 campaign identified
Researchers attributed a multi-stage phishing campaign to UNC6692, utilizing Teams and email tactics.
Gbhackers
2026-07-10
Detailed analysis of SNOW malware released
Socprime published an in-depth investigation into the SNOW malware ecosystem and its attack methods.
Socprime

Community

Browse all →