UNC6692 Deploys SNOW Malware via Fake IT Helpdesk Teams Calls

A newly documented threat cluster is weaponizing Microsoft Teams to deploy custom malware, combining email bombing with IT helpdesk impersonation to compromise corporate networks. Google Cloud's threat intelligence team tracked the activity as UNC6692 and detailed the group's SNOW malware ecosystem—a modular toolkit designed for persistent access and lateral movement.

The campaign targeted 77% senior-level employees between March 1 and April 1, 2026, a sharp increase from 59% in earlier activity. The deliberate focus on executives suggests UNC6692 prioritizes targets with elevated access to sensitive data and financial systems.

How the Attack Unfolds

UNC6692's approach combines multiple social engineering techniques:

Stage 1: Email Bombardment Victims receive a flood of spam emails designed to overwhelm their inbox and create urgency. The volume makes it difficult to work normally and primes targets to accept help.

Stage 2: Teams Impersonation Shortly after the email flood, a Teams message arrives from what appears to be an IT support staff member offering assistance. The attacker uses an external account but presents themselves as internal support.

Stage 3: Malware Delivery Victims who engage are directed to a phishing link for a fake "Mailbox Repair and Sync Utility v2.1.5." The download triggers an AutoHotkey script hosted on an attacker-controlled AWS S3 bucket, initiating the SNOW infection chain.

This multi-stage approach exploits a natural response—when your inbox is broken and someone offers to fix it, you're more likely to click. The technique resembles other Teams-based phishing campaigns we've covered, though UNC6692's execution is notably more polished.

The SNOW Malware Ecosystem

SNOW operates as a coordinated pipeline rather than a single tool:

SNOWBELT - A JavaScript-based backdoor delivered as a Chromium browser extension. It masquerades under names like "MS Heartbeat" or "System Heartbeat" and receives commands from the C2 infrastructure, relaying them to downstream components.

SNOWGLAZE - A Python-based tunneler that establishes secure WebSocket connections between victim networks and attacker infrastructure. This provides the persistent channel UNC6692 needs for ongoing operations.

SNOWBASIN - The primary backdoor enabling remote command execution via cmd.exe or PowerShell. It captures screenshots, handles file operations, and runs as a local HTTP server on ports 8000-8002.

Post-Compromise Activity

Once established, UNC6692 moves quickly:

• Network scanning for ports 135, 445, and 3389 to identify lateral movement opportunities
• LSASS memory extraction via Windows Task Manager for credential harvesting
• Pass-The-Hash attacks targeting domain controllers
• Sensitive data collection using FTK Imager
• Exfiltration via LimeWire to attacker infrastructure

The blend of commercial forensic tools (FTK Imager) with custom malware suggests either a well-resourced group or one with access to cracked commercial software. Either way, the toolkit indicates operators comfortable with both network penetration and data theft.

Detection Guidance

Security teams should watch for:

1. Suspicious Edge browser extensions with names like "MS Heartbeat" or "System Heartbeat"
2. WebSocket connections to unauthenticated external destinations from internal hosts
3. Local HTTP servers running on ports 8000-8002
4. AutoHotkey scripts executing from user download directories
5. External Teams messages claiming to be internal IT support

Organizations allowing external Teams federation should consider whether the business benefit outweighs the risk. Many companies have restricted external Teams access following similar social engineering campaigns targeting enterprise users.

Why This Matters

UNC6692 represents the maturation of Teams-based social engineering. The combination of email disruption, helpdesk impersonation, and modular malware creates a repeatable playbook for compromising organizations where Teams federation is enabled.

The 77% senior employee targeting rate indicates deliberate reconnaissance before attacks. These aren't spray-and-pray campaigns—UNC6692 knows who they want to compromise and tailors the approach accordingly.

For organizations with Teams external access enabled, the immediate question is whether current monitoring would detect the SNOW infection chain. If your security stack can't see browser extension installations or unusual WebSocket traffic, you may already have gaps that campaigns like this exploit. Check our hacking news coverage for ongoing developments in this space.