A threat group tracked as UNC6692 has been observed using Microsoft Teams as a launchpad for deploying a newly documented malware suite called Snow, according to research published by Google's Mandiant. The campaign relies on sophisticated social engineering, beginning with email bombing before pivoting to Teams-based impersonation of IT helpdesk personnel.
Attack Chain Overview
The operation starts with a flood of spam emails sent to targeted users — enough to overwhelm inboxes and create a sense of urgency. Attackers then contact victims through Microsoft Teams, posing as IT support staff offering assistance. Victims are directed to click links supposedly providing fixes for the spam problem, which instead deliver malware droppers that execute AutoHotkey scripts on the endpoint.
This vishing-style technique over Teams has become increasingly common among threat actors looking to bypass traditional email security controls. By moving the social engineering component to an internal-seeming communication channel, attackers gain an additional layer of legitimacy in the eyes of targets.
The Snow Malware Suite
The Snow toolkit consists of three distinct components, each serving a specific role in post-exploitation:
SnowBelt — Malicious Browser Extension
SnowBelt is a malicious Chrome extension deployed on headless Microsoft Edge instances running silently in the background. Because the browser runs without a visible window, victims have no indication the extension is active. Persistence is established through scheduled tasks and startup folder shortcuts, ensuring the extension survives reboots.
SnowGlaze — Network Tunneler
SnowGlaze acts as a tunneling tool that conceals communications with the attacker's command-and-control infrastructure. It facilitates SOCKS proxy operations, routing arbitrary TCP traffic through the infected host. This enables attackers to use the compromised machine as a pivot point into internal network segments.
SnowBasin — Python Backdoor
SnowBasin is a Python-based backdoor that runs a local HTTP server on the victim machine. It supports a broad range of attacker-directed activities:
- Remote shell access
- Data exfiltration
- File download and upload
- Screenshot capture
- Basic file system management
Post-Compromise Activity
Once Snow is deployed and a foothold is established, UNC6692 moves quickly to expand access. Observed post-exploitation behaviors include:
- Internal reconnaissance scanning for SMB and RDP services
- Lateral movement across the network
- Credential harvesting via LSASS memory dumping
- Pass-the-hash authentication attacks
- Domain controller compromise
- Active Directory database exfiltration using the FTK Imager forensics tool
- Data staging and exfiltration via LimeWire
The breadth of post-compromise activity suggests UNC6692 is motivated by large-scale data theft and potentially ransomware deployment.
Detection and IOCs
Mandiant has published indicators of compromise (IOCs) and YARA rules for detecting the Snow toolset. Organizations using Microsoft Teams are advised to review external communication policies and restrict or monitor guest access. Security teams should also monitor for unusual headless browser processes and unexpected Python-based local HTTP servers.
Mitigation Recommendations
- Audit and restrict Microsoft Teams external communications
- Enable advanced threat protection policies for Teams
- Deploy EDR solutions capable of detecting AutoHotkey-based dropper chains
- Monitor for scheduled tasks created by unusual parent processes
- Review Python interpreter activity on corporate endpoints
- Implement network-level egress filtering to detect SOCKS proxy abuse
The Snow campaign underscores the growing use of business communication platforms as initial access vectors — a trend defenders must account for as attackers increasingly bypass email-focused security controls.