Full Report
A previously undocumented threat activity cluster known as UNC6692 has been observed leveraging social engineering tactics via Microsoft Teams to deploy a custom malware suite on compromised hosts. "As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account
Analysis Summary
# Threat Actor: UNC6692
## Attribution & Identity
UNC6692 is a previously undocumented threat activity cluster first reported by Mandiant (Google Cloud). While not definitively attributed to a specific nation-state or named group, it is linked via shared playbooks and methodologies to **former Black Basta affiliates**.
## Activity Summary
UNC6692 was observed in early 2026 (specifically active through March and April) conducting sophisticated social engineering campaigns. The group utilizes a "double-tap" approach: first overwhelming a victim's inbox with email spam, followed by a targeted Microsoft Teams message from an account impersonating corporate IT helpdesk staff offering to "fix" the spam issue.
## Tactics, Techniques & Procedures
- **Social Engineering:** Impersonation of IT Helpdesk personnel via Microsoft Teams.
- **Phishing:** Directing victims to a fraudulent "Mailbox Repair and Sync Utility v2.1.5" page to harvest credentials.
- **Email Bombing:** Flooding targets with spam to create a false sense of urgency and justify the IT "intervention."
- **Execution:** Utilizing AutoHotkey scripts for initial reconnaissance and payload delivery.
- **Browser Manipulation:** Installing malicious extensions in Microsoft Edge using headless mode and the `--load-extension` command line switch.
- **Evasion:** Implementation of gatekeeper scripts to ensure payloads are only delivered to intended human targets and not sandboxes.
- **Persistence:** Modular malware suite (SNOW ecosystem) used for remote access and persistence.
- **MITRE ATT&CK IDs:**
- T1566.002 (Spearphishing Link)
- T1204.002 (User Execution: Malicious File)
- T1176 (Browser Extensions)
- T1021.001 (Remote Services: Remote Desktop Protocol)
- T1059.001 (Command and Scripting Interpreter: PowerShell)
## Targeting
- **Sectors:** Broad corporate focus; specifically targets high-value corporate networks.
- **Geography:** Global/General.
- **Victims:** In early 2026, 77% of incidents targeted **senior-level employees and executives**.
## Tools & Infrastructure
### Malware Families (SNOW Suite)
- **SNOWBELT:** A JavaScript-based browser extension (backdoor) for the Edge browser.
- **SNOWGLAZE:** A Python-based network tunneler utilizing WebSockets.
- **SNOWBASIN:** A persistent backdoor used for command execution (cmd/PowerShell), screenshots, and file exfiltration.
- **AutoHotkey:** Used for initial reconnaissance scripts.
### Infrastructure
- **AWS S3 Buckets:** Used for hosting malicious scripts and exfiltrating harvested credentials.
- **Remote Management Tools:** Occasional use of legitimate RMM tools like **Quick Assist** and **Supremo Remote Desktop**.
- **C2:** Command-and-control servers facilitating WebSocket tunnels (authenticated).
- **Domains/IPs:** (General infrastructure mentioned: AWS S3 - `s3.amazonaws[.]com`)
## Implications
UNC6692 demonstrates the evolution of the "Black Basta" playbook. The shift toward targeting senior executives suggests a strategic focus on high-privilege access for data theft and extortion. The move from simple RMM tool abuse to a custom, modular browser-based malware suite (SNOW) indicates a higher level of technical sophistication and a goal of long-term persistence within corporate environments.
## Mitigations
- **Teams Security:** Restrict or monitor chat invitations from external tenants/accounts (External Access settings in Microsoft Teams).
- **Endpoint Monitoring:** Monitor for suspicious command-line arguments, specifically Edge being launched with the `--load-extension` flag.
- **Credential Protection:** Enforce FIDO2-based Multi-Factor Authentication (MFA) to mitigate the impact of credential harvesting pages.
- **User Training:** Educate senior leadership on the "Email Bombing + Teams Support" attack pattern; emphasize that IT support will generally not initiate unsolicited chats via Teams from external domains.
- **Execution Policy:** Restrict the execution of AutoHotkey scripts and unauthorized Python executables on executive workstations.