Full Report
Coming in cold with custom Snow malware A previously unknown threat group using tried-and-tested social engineering tactics - Microsoft Teams chat invitations and helpdesk staff impersonation - is also using custom malware in its data-stealing attacks, according to Google's Threat Intelligence Group.…
Analysis Summary
# Threat Actor: UNC6692
## Attribution & Identity
UNC6692 is a previously unknown, financially motivated (implied "crime crew") threat group first identified by Google’s Threat Intelligence Group (GTIG). While the group utilizes social engineering tactics similar to established actors like Scattered Spider and Storm-0875, Google analysts have confirmed there is currently no known overlap with those specific crews.
## Activity Summary
In late December 2025, UNC6692 launched a large-scale campaign characterized by a multi-stage social engineering lure:
1. **Email Flooding:** Target organizations were bombarded with high volumes of email traffic.
2. **Impersonation:** Attackers posed as IT helpdesk personnel via Microsoft Teams chat invitations, offering to help resolve the "email spam" issue.
3. **Credential Harvesting:** Victims were directed to a fake "Mailbox Repair Utility" site that used a "double-entry" password trick to ensure accuracy and legitimacy.
4. **Malware Deployment:** While the user was distracted by a fake "Health Check," the site staged files to install a modular malware suite.
## Tactics, Techniques & Procedures
* **Social Engineering:** Impersonation of internal helpdesk staff via Microsoft Teams.
* **Phishing:** Use of a "Mailbox Repair Utility" landing page with a psychological "double-entry" password validation trick.
* **Persistent Foothold:** Use of malicious Chromium browser extensions and AutoHotkey (AHK) scripts.
* **Command and Control (C2) Tunneling:** Encapsulating malicious traffic within JSON objects and Base64 encoding via WebSockets to mimic legitimate encrypted web traffic.
* **Reconnaissance:** Execution of standard discovery commands (e.g., `whoami`, `net user`).
* **MITRE ATT&CK Mapping (Inferred):**
* T1566.003 (Phishing: Spearphishing via Service)
* T1071.001 (Application Layer Protocol: Web Protocols)
* T1176 (Browser Extensions)
* T1059.006 (Command and Scripting Interpreter: Python)
* T1572 (Protocol Tunneling)
## Targeting
* **Sectors:** General corporate environments (any organization utilizing Microsoft Teams and standard email).
* **Geography:** Not specified, but the use of English-language helpdesk lures suggests Western-based or international organizations.
* **Victims:** Identification is currently limited to "target organizations" involved in the December 2025 campaign.
## Tools & Infrastructure
* **Malware Families (The "Snow" Suite):**
* **SnowBelt:** A JavaScript-based backdoor disguised as a browser extension (e.g., "MS Heartbeat" or "System Heartbeat").
* **SnowGlaze:** A Python-based tunneler (Windows/Linux) that creates WebSocket tunnels.
* **SnowBasin:** A Python bindshell providing interactive control, command execution, and screenshot capture.
* **Other Tools:** AutoHotkey (AHK), Portable Python executable.
* **Infrastructure:**
* **C2:** Heroku subdomains (e.g., `[subdomain].herokuapp[.]com`).
* **Exfiltration/Staging:** Amazon S3 buckets.
* **Local Communication:** SnowBasin listens on local port `8000`.
## Implications
UNC6692 represents a sophisticated shift in cybercrime, moving away from simple email phishing toward "multi-channel" social engineering. By leveraging Microsoft Teams—a platform often implicitly trusted by employees—the group effectively bypasses traditional email security perimeters. Their use of custom, modular Python and JavaScript malware indicates a higher level of development capability than typical script kiddies, focusing on stealthy persistence and data exfiltration.
## Mitigations
* **Identity Management:** Implement strict MFA (Multi-Factor Authentication) and monitor for "double-entry" phishing patterns where users are prompted for credentials multiple times.
* **Teams Security:** Restrict Microsoft Teams chat invitations from external domains or unverified users.
* **Browser Security:** Implement policies to prevent the installation of non-store Chromium extensions (Developer Mode restrictions).
* **Network Monitoring:** Monitor for unusual WebSocket traffic to PaaS providers like Heroku and analyze for high-frequency Base64 encoded JSON blobs.
* **Endpoint Defense:** Monitor for unauthorized `AutoHotkey.exe` execution and Python processes listening on local ports (e.g., port 8000).