UNC6692 abuses Teams helpdesk impersonation to drop Snow malware suite

Mandiant has attributed a new intrusion set to UNC6692, a threat group pairing email-bombing pressure tactics with Microsoft Teams messages from fake IT helpdesk personas. Targets are coaxed into installing a bogus spam-blocking patch, which drops an AutoHotkey loader and a three-part custom toolkit dubbed Snow: SnowBelt (a Chrome extension run inside a headless Edge instance for stealth and persistence), SnowGlaze (a WebSocket tunneler with SOCKS proxy support), and SnowBasin (a Python backdoor that executes CMD/PowerShell via a local HTTP server).

Once inside, the operators perform SMB and RDP reconnaissance, dump LSASS to harvest credentials, and use pass-the-hash to pivot toward domain controllers. The endgame is a full Active Directory compromise: attackers deploy FTK Imager to grab the NTDS database alongside the SYSTEM, SAM, and SECURITY hives, then exfiltrate the haul over LimeWire.

The campaign reflects a wider shift toward Teams- and Quick Assist-based social engineering as an initial access vector, sidestepping email defenses by exploiting trust in internal collaboration tools. Mandiant has published IoCs and YARA rules for the Snow toolset.