Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Roundcube 0-Click Vulnerability Lets Attackers Inject Stored XSS
July 9, 2026
Critical Microsoft Entra ID Flaw Lets Attackers Hijack Accounts
July 9, 2026
Critical Linux Kernel Flaw Allows Root Access via DRM Render Nodes
July 9, 2026
Home/Threats/UNC6692 Hackers Deploy SNOW Malware via Microsoft Teams Helpdesk Impersonation
Threats

UNC6692 Hackers Deploy SNOW Malware via Microsoft Teams Helpdesk Impersonation

Key Takeaways A new threat actor, UNC6692, is leveraging sophisticated social engineering tactics via Microsoft Teams. The group impersonates IT helpdesk personnel to trick users into installing a...

Sarah simpson
Sarah simpson
July 9, 2026 5 Min Read
5 0

Key Takeaways

  • A new threat actor, UNC6692, is leveraging sophisticated social engineering tactics via Microsoft Teams.
  • The group impersonates IT helpdesk personnel to trick users into installing a custom malware suite known as SNOW.
  • SNOW is a modular toolkit comprising a malicious browser extension, a Python-based tunneling tool, and a local HTTP backdoor designed for stealthy, persistent access.
  • The attack chain involves an initial spam flood, followed by a targeted Teams message offering “help,” leading to credential theft and malware deployment.
  • Organizations should focus on restricting external Teams communications, enhancing user training, and monitoring for unusual browser and network activity.

UNC6692 Deploys SNOW Malware Through Microsoft Teams Helpdesk Impersonation

A recently identified threat group, designated UNC6692, is actively exploiting Microsoft Teams to deploy a proprietary malware framework dubbed SNOW. This campaign predominantly relies on advanced social engineering, making it particularly insidious as it mimics routine IT support interactions, thereby increasing its likelihood of success against unsuspecting employees.

Table Of Content

  • Key Takeaways
  • UNC6692 Deploys SNOW Malware Through Microsoft Teams Helpdesk Impersonation
  • The Deceptive Attack Chain
  • Exploiting Trust in Microsoft Teams
  • Inside the SNOW Malware Toolkit
  • What You Should Do

The attackers initiate their operations by impersonating internal IT helpdesk staff. They capitalize on the inherent trust users place in familiar collaboration platforms like Microsoft Teams to manipulate victims into inadvertently granting them control over their systems. This method bypasses many traditional security measures by exploiting human vulnerability rather than technical flaws.

The Deceptive Attack Chain

The attack sequence typically commences with a deluge of spam emails targeting a victim’s inbox, creating a sense of urgency and disarray. Amidst this manufactured chaos, the same attacker then contacts the victim directly via Microsoft Teams, posing as a helpful IT support agent offering to resolve the very problem they instigated. This calculated, two-stage approach effectively builds credibility, leading users to believe they are engaging with a legitimate helper rather than an adversary.

Analysts at ExtraHOP said in a report, detailing the coordinated progression of this attack, from initial contact to comprehensive network compromise. Once a victim accepts the fraudulent Teams chat invitation, the attacker transmits a link, claiming it’s a critical patch to halt the spam. Clicking this link initiates the download of a renamed AutoHotkey binary and an accompanying script with an identical filename, both retrieved from an attacker-controlled cloud storage bucket.

This downloaded payload constitutes the initial stage of the SNOW malware ecosystem. SNOW is a sophisticated, modular toolkit engineered for post-breach activities, including a malicious browser extension, a Python-based tunneling utility, and a lightweight local backdoor. Each component plays a crucial role in maintaining persistence and facilitating covert operations long after the initial phishing attempt has faded from memory.

Upon establishing a foothold, UNC6692 proceeds with caution. The group meticulously navigates compromised environments, systematically harvesting credentials, mapping internal networks, and expanding their access without triggering immediate alarms. This patient reconnaissance phase precedes any overt actions that might alert security teams, underscoring the group’s methodical approach to infiltration and data exfiltration.

Exploiting Trust in Microsoft Teams

The effectiveness of UNC6692’s impersonation tactic stems from its uncanny resemblance to legitimate corporate support interactions. Following the initial spam barrage, the attacker sends a Microsoft Teams chat request from an external account, appearing as a benevolent colleague or support agent. Many users, particularly when facing an existing problem, are prone to accepting such external invitations without adequate scrutiny, especially when the message offers a solution to their immediate issue.

Victims are then directed to a phishing page, meticulously crafted to mimic a legitimate mailbox repair and synchronization utility. This page often features a professional interface and a prominent “health check” button. Activating this button triggers a series of login prompts, repeatedly requesting credentials under the guise of “verification.” This multi-stage credential harvesting technique not only captures sensitive authentication details but also enhances their perceived legitimacy, making it harder to detect the theft. The stolen credentials are then covertly transmitted to an attacker-controlled cloud location.

This credential theft serves as the gateway for subsequent malicious activities. Once the AutoHotkey script executes, it performs initial reconnaissance and installs SNOWBELT, a rogue browser extension. This installation is achieved by launching Microsoft Edge in a hidden, “headless” mode, utilizing command-line parameters that bypass standard installation checks and user prompts.

Inside the SNOW Malware Toolkit

The SNOW malware is not a monolithic application but rather a multi-layered framework designed for enduring persistence and stealth. SNOWBELT, the browser extension component, is engineered to operate within the browser environment and maintain its presence even after system restarts. Concurrently, a Python-based tunneling utility, known as SNOWGLAZE, facilitates SOCKS5-style traffic, routing command and control (C2) communications through the compromised host. This technique helps disguise malicious traffic by blending it with legitimate web activity.

Further enhancing the toolkit’s capabilities, a distinct local HTTP backdoor, SNOWBASIN, provides the attackers with a direct channel to issue commands and exfiltrate data. This direct access reduces reliance on external infrastructure that might be more easily detected. The SNOW toolkit also incorporates functionalities for capturing screenshots, exfiltrating files, and terminating sessions, granting the operators granular control over their operational footprint and duration of stealth.

A significant challenge in detecting this campaign lies in the fact that its traffic often leverages legitimate cloud services and standard Windows functionalities. This deliberate obfuscation can lead to it being overlooked by conventional network monitoring systems. Therefore, security teams must proactively monitor for anomalous browser extension installations, scheduled tasks that launch browsers in headless mode, and any unusual outbound connections to unfamiliar endpoints.

What You Should Do

  • Restrict External Teams Communications: Limit Microsoft Teams chat permissions to approved contacts only. Disable external chat invitations by default or implement strict policies requiring approval before accepting communications from outside the organization.
  • Enhance Employee Training: Conduct regular security awareness training emphasizing the dangers of social engineering, especially helpdesk impersonation. Employees should be trained to verify the identity of IT support personnel through established, secure channels before complying with any requests, particularly those involving software installations or credential inputs.
  • Implement Multi-Factor Authentication (MFA): Enforce MFA across all corporate accounts, especially for Microsoft Teams and other collaboration platforms, to significantly reduce the impact of stolen credentials.
  • Monitor for Unusual Browser Activity: Deploy endpoint detection and response (EDR) solutions to monitor for suspicious browser extension installations, unauthorized modifications to browser settings, and instances of browsers launching in headless mode or with unusual command-line arguments.
  • Control File Sharing and Downloads: Restrict the use of unapproved file-sharing platforms and implement policies requiring verification and scanning of all downloaded executables or scripts, regardless of the source.
  • Network Traffic Analysis: Monitor network traffic for unusual outbound connections, particularly those to cloud storage services or unfamiliar IP addresses that deviate from normal operational baselines.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitHackerMalwarePatchphishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Bridging Threat Intelligence to SOC Action: A Guide for Security Teams

Next Post

Windows Update Installs LG Monitor App Pushing McAfee Ads

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Windows Update Installs LG Monitor App Pushing McAfee Ads
July 9, 2026
UNC6692 Hackers Deploy SNOW Malware via Microsoft Teams Helpdesk Impersonation
July 9, 2026
Bridging Threat Intelligence to SOC Action: A Guide for Security Teams
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us