Write 2 sentences summarizing the content. At the end, add hashtags for specific keywords mentioned in the article—such as names of malware, threat actors, or affected organizations/systems. Avoid general terms like #malware, #ransomware, or #cybersecurity. Use this format: #Keyword1 #Keyword2
UNC6692 campaigns combine large-scale email-bombing with Microsoft Teams helpdesk impersonation to trick targets—especially senior executives—into installing a malicious “Mailbox Repair and Sync Utility” that delivers an AutoHotkey script and a modular SNOW malware toolkit. The attack chain uses AWS S3-hosted payloads, a malicious Edge extension (SNOWBELT), tunneling (SNOWGLAZE), and a persistent backdoor (SNOWBASIN) to enable lateral movement, credential theft, and data exfiltration. #UNC6692 #SNOWBELT
Keypoints
- UNC6692 leverages email-bombing to create urgency and then impersonates IT helpdesk staff via Microsoft Teams to initiate the attack.
- Victims are lured to a phishing page named “Mailbox Repair and Sync Utility v2.1.5” that downloads an AutoHotkey script from an attacker-controlled AWS S3 bucket.
- The AutoHotkey script installs SNOWBELT (a malicious Edge extension) and deploys SNOWGLAZE (WebSocket tunneler) and SNOWBASIN (persistent backdoor) for remote control.
- Attackers use gatekeeper scripts and browser checks to evade sandboxes, and abuse legitimate cloud services for payload delivery and exfiltration.
- Post-exploitation includes LSASS memory dumps, Pass-the-Hash lateral movement, PsExec/RDP via SNOWGLAZE, forensic image capture with FTK Imager, and exfiltration using LimeWire.
Read More: https://thehackernews.com/2026/04/unc6692-impersonates-it-helpdesk-via.html