UNC6692 Uses Social Engineering to Deploy SNOW Malware via Microsoft Teams

Severity: High (Score: 66.5)

Sources: Thehackernews, Mandiant

Summary

A threat group identified as UNC6692 executed a sophisticated multistage intrusion campaign utilizing social engineering tactics to deploy a custom malware suite. The attackers impersonated IT helpdesk personnel to lure victims into accepting a Microsoft Teams chat invitation from an external account. Following an overwhelming email campaign in December 2025, they sent phishing messages that prompted users to install a malicious patch, which ultimately downloaded the SNOWBELT malware. This malware included a malicious browser extension and was designed to maintain persistence through scheduled tasks and startup scripts. The campaign highlights a significant evolution in tactics, emphasizing the use of trusted enterprise software to gain access. Mandiant is currently investigating the incident but has not recovered the initial AutoHotKey script used in the attack. Key Points: • UNC6692 leveraged social engineering via Microsoft Teams to deploy malware. • The attack involved impersonating IT helpdesk staff to gain user trust. • The SNOWBELT malware included a malicious browser extension for persistence.

Key Entities

• Unc6692 (apt_group)
• Data Breach (attack_type)
• Malware (attack_type)
• Phishing (attack_type)
• cloudfront-021.s3.us (domain)
• service-page-18968-2419-outlook.s3.us-west-2.amazonaws.com (domain)
• service-page-25144-30466-outlook.s3.us (domain)
• SNOW (malware)
• Snowbasin (malware)
• Snowbelt (malware)
• Snowglaze (malware)
• T1003.001 - Lsass Memory (mitre_attack)
• T1021.001 - Remote Desktop Protocol (mitre_attack)
• T1021.002 - SMB/Windows Admin Shares (mitre_attack)
• T1033 - System Owner/User Discovery (mitre_attack)
• T1036 - Masquerading (mitre_attack)
• Linux (platform)
• Windows (platform)
• Microsoft Teams (tool)
• AutoHotkey (tool)
• FTK Imager (tool)
• PSExec (tool)
• LimeWire (company)