A previously undocumented threat activity cluster known as UNC6692 has been observed leveraging social engineering tactics via Microsoft Teams to deploy a custom malware suite on compromised hosts.
“As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization,” Google-owned Mandiant said in a report published today.
UNC6692 has been attributed to a large email campaign that’s designed to overwhelm a target’s inbox with a flood of spam emails, creating a false sense of urgency. The threat actor then approaches the target over Microsoft Teams by sending a message claiming to be from the IT support team to offer assistance with the email bombing problem.
It’s worth noting that this combination of bombarding a victim’s email inbox followed by Microsoft Teams-based help desk impersonation has been a tactic long embraced by former Black Basta affiliates. Despite the group shutting down its ransomware operations early last year, the playbook has witnessed no signs of slowing down.
In a report published last week, ReliaQuest revealed that the approach is being used to target executives and senior-level employees for initial access into corporate networks for potential data theft, lateral movement, ransomware deployment, and extortion. In some cases, chats were initiated just 29 seconds apart.
The goal of the conversation is to trick victims into installing legitimate remote monitoring and management (RMM) tools like Quick Assist or Supremo Remote Desktop to enable hands-on access, and then weaponize it to drop additional payloads.
“From March 1 to April 1, 2026, 77% of observed incidents targeted senior-level employees, up from 59% in the first two months of 2026,” ReliaQuest researchers John Dilgen and Alexa Feminella said. “This activity demonstrates that a threat group’s most effective tactics can long outlive the group itself.”
The attack chain detailed by Mandiant, on the other hand, deviates from this approach as the victim is instructed to click on a phishing link shared via Teams chat to install a local patch to remediate the spam issue. Once it’s clicked, it leads to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket. The phishing page is named “Mailbox Repair and Sync Utility v2.1.5.”
The script is designed to perform initial reconnaissance, and then install SNOWBELT, a malicious Chromium-based browser extension, on the Edge browser by launching it in headless mode along with the “–load-extension” command line switch.
“The attacker used a gatekeeper script designed to ensure the payload is delivered only to intended targets while evading automated security sandboxes,” Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelley, and Muhammad Umair said.
“The script also checks the victim’s browser. If the user is not using Microsoft Edge, the page displays a persistent overlay warning. Using the SNOWBELT extension, UNC6692 downloaded additional files including SNOWGLAZE, SNOWBASIN, AutoHotkey scripts, and a ZIP archive containing a portable Python executable and required libraries.”
The phishing page is also designed to serve a Configuration Management Panel with a prominent “Health Check” button that, when clicked, prompts users to enter their mailbox credentials for ostensibly authentication purposes, but, in reality, is used to harvest and exfiltrate the data to another Amazon S3 bucket.
The SNOW malware ecosystem is a modular toolkit that works together to facilitate the attacker’s goals. While SNOWBELT is a JavaScript-based backdoor that receives commands and relays them to SNOWBASIN for execution, SNOWGLAZE is a Python-based tunneler to create a secure, authenticated WebSocket tunnel between the victim’s internal network and the attacker’s command-and-control (C2) server.
The third component is SNOWBASIN, which operates as a persistent backdoor to enable remote command execution via “cmd.exe” or “powershell.exe,” screenshot capture, file upload/download, and self-termination. It runs as a local HTTP server on ports 8000, 8001, or 8002.
Some of the other post-exploitation actions carried out by UNC6692 after gaining initial access are as follows –
- Use a Python script to scan the local network for ports 135, 445, and 3389 for lateral movement, establish a PsExec session to the victim’s system via the SNOWGLAZE tunneling utility, and initiate an RDP session via the SNOWGLAZE tunnel from the victim system to a backup server.
- Utilize a local administrator account to extract the system’s LSASS process memory with Windows Task Manager for privilege escalation.
- Use the Pass-The-Hash technique to move laterally to the network’s domain controllers using the password hashes of elevated users, download and run FTK Imager to capture sensitive data (e.g., Active Directory database file) and write it to the \Downloads folder, and exfiltrate it using the LimeWire file upload tool.
“The UNC6692 campaign demonstrates an interesting evolution in tactics, particularly the use of social engineering, custom malware, and a malicious browser extension, playing on the victim’s inherent trust in several different enterprise software providers,” the tech giant said.
“A critical element of this strategy is the systematic abuse of legitimate cloud services for payload delivery and exfiltration, and for command-and-control (C2) infrastructure. By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic.”
The disclosure comes as Cato Networks detailed a voice phishing-based campaign that leverages similar help desk impersonation on Microsoft Teams to guide victims into executing a WebSocket-based trojan dubbed PhantomBackdoor via an obfuscated PowerShell script retrieved from an external server.
“This incident shows how help desk impersonation delivered through a Microsoft Teams meeting can replace traditional phishing and still lead to the same outcome: staged PowerShell execution followed by a WebSocket backdoor,” the cybersecurity company said.
“Defenders should treat collaboration tools as first-class attack surfaces by enforcing help desk verification workflows, tightening external Teams and screen-sharing controls, and hardening PowerShell.”
