In a recent analysis by the Google Threat Intelligence Group (GTIG), a new threat group known as UNC6692 has been identified, showcasing a complex multistage intrusion campaign. This group has effectively utilized social engineering techniques, a custom modular malware suite, and strategic maneuvering within victim environments to achieve significant network infiltration.
The campaign primarily involved impersonating IT helpdesk personnel to convince targets to accept Microsoft Teams chat invitations from external accounts. This approach highlights a notable shift in tactics, emphasizing the role of social engineering and custom malware, including a malicious browser extension that exploits trust in enterprise software.
Campaign Overview
In December 2025, UNC6692 initiated a large-scale email campaign aimed at overwhelming targets with messages to create urgency and distraction. This was followed by phishing messages sent via Microsoft Teams, where attackers posed as helpdesk staff offering assistance.
Infection Process
Victims were directed through Microsoft Teams to click a link that purportedly installed a local patch to mitigate email spamming. This action led to the download of a renamed AutoHotKey binary and script from an AWS S3 bucket controlled by the attackers.
Once the AutoHotKey binary was executed, it triggered the installation of SNOWBELT, a malicious Chromium browser extension. The persistence of SNOWBELT was confirmed through various methods, including the creation of a shortcut in the Windows Startup folder and the installation of scheduled tasks.
Internal Reconnaissance and Lateral Movement
After gaining initial access, UNC6692 utilized a Python script to scan the local network for specific ports, establishing a Sysinternals PsExec session to execute commands and enumerate local administrator accounts. This access enabled the attackers to initiate Remote Desktop Protocol (RDP) sessions to backup servers.
Privilege Escalation
Upon accessing the backup server, the attackers extracted the LSASS process memory, which contains sensitive account information. This information was exfiltrated using LimeWire, allowing the attackers to utilize offensive security tools without detection.
Mission Completion
Equipped with password hashes of elevated users, UNC6692 employed the Pass-The-Hash technique to move laterally to domain controllers. This method allowed them to authenticate without providing passwords directly. They downloaded critical files, including the Active Directory database, which were then exfiltrated from the network.
The SNOW Malware Ecosystem
The SNOW malware ecosystem, associated with UNC6692, comprises three main components: SNOWBELT, SNOWGLAZE, and SNOWBASIN. These components work in tandem to facilitate the attack:
- SNOWBELT: A browser extension that serves as the initial foothold, intercepting commands and maintaining persistence.
- SNOWGLAZE: A Python-based tunneler that establishes a secure connection between the victim's network and the attacker's command-and-control infrastructure.
- SNOWBASIN: A local HTTP server that enables remote command execution and data exfiltration.
Malware Functionality
SNOWBELT operates by relaying commands to SNOWBASIN, which executes them and sends results back to the attacker. This setup allows for continuous interaction and control over the infected system.
Implications and Recommendations
The tactics employed by UNC6692 illustrate a concerning trend in cyber threats where attackers blend social engineering with technical evasion. Their use of legitimate cloud services for malicious activities complicates detection efforts. Organizations must enhance their security measures, focusing on monitoring browser activity and unauthorized cloud traffic to mitigate risks.
Indicators of Compromise (IOCs)
To assist in identifying similar activities, key indicators of compromise have been outlined, including specific network and file indicators associated with the UNC6692 campaign.
