Threat group UNC6692 uses email bombing and Microsoft Teams helpdesk impersonation to trick victims into installing a dropper that deploys a custom malware suite called Snow. The Snow toolset—comprising SnowBelt, SnowGlaze, and SnowBasin—provides stealthy persistence, WebSocket/SOCKS tunneling, and remote-command and data-exfiltration capabilities that enabled credential theft and domain takeover. #UNC6692 #Snow
Keypoints
- UNC6692 leverages “email bombing” and Teams-based helpdesk impersonation to coerce targets into installing a malicious patch dropper.
- The Snow suite includes SnowBelt (malicious Chrome extension), SnowGlaze (WebSocket/SOCKS tunneler), and SnowBasin (Python backdoor).
- SnowBelt executes on a headless Microsoft Edge instance and creates scheduled tasks and startup shortcuts for stealthy persistence.
- Attackers performed internal reconnaissance, dumped LSASS to steal credentials, used pass-the-hash, and moved laterally to domain controllers.
- Operators extracted AD databases and registry hives with FTK Imager and exfiltrated them via LimeWire, and Mandiant published IoCs and YARA rules to aid detection.