Ethical Hacking News
A new era in malware attacks has emerged with the UNC6692 campaign. This complex operation utilizes social engineering tactics, advanced encryption techniques, and modular components to gain unauthorized access into organizations' networks. By shedding light on this campaign, security researchers can develop better countermeasures against such threats.
SNOWBELT: A JavaScript-based backdoor masquerading as a Chromium browser extension to intercept commands and send them to SNOWBASIN. SNOWGLAZE: A Python-based tunneler that can operate in both Windows and Linux environments, facilitating bidirectional data exchange between the browser and TCP socket. SNOWBASIN: A backdoor acting as a local web server (typically on port 8000), receiving decrypted C2 commands from SNOWBELT via HTTP POST requests. The campaign uses social engineering tactics, phishing sites, AutoHotKey payloads, and staged files to gain unauthorized access into organizations' networks.
In a recent breakthrough, security researchers have shed light on a highly sophisticated and modular malware campaign dubbed "UNC6692." This complex operation has been observed to utilize a range of tactics, from social engineering to advanced encryption techniques, to gain unauthorized access into organizations' networks. At the core of this campaign lies a trio of components: SNOWBELT, SNOWGLAZE, and SNOWBASIN.
The journey begins with SNOWBELT, a JavaScript-based backdoor masquerading as a Chromium browser extension, often under names like "MS Heartbeat" or "System Heartbeat." Deployed through social engineering tactics, the extension intercepts commands and sends them to SNOWBASIN for execution. It maintains persistence via the browser's extension registration system and uses Service Worker Alarms and Keep-Alive Tab Injection (via helper.html) to ensure it remains active whenever the browser is running.
Upon successful installation, SNOWBELT generates a unique identity using the prefix fp-sw-followed by a UUID. It then employs a time-based DGA to calculate C2 URLs. Utilizing a hard-coded seed value, it generates a registry URL for an S3 bucket within 30-minute time slots. These URLs follow a specific structural pattern: https://[a-f0-9]{24}-[0-9]{6,7}-{0-9}{1}.s3.us-east-2.amazonaws[.]com.
The decrypted manifest is obtained from this registry via AES-GCM using a key derived from SHA256(SEED + "|" + timeslot). SNOWBELT registers with the browser's Push Notification service, utilizing a hard-coded VAPID Public Key to establish an asynchronous channel for immediate communication. This setup enables attackers to "wake up" the Service Worker immediately via authenticated Push messages.
In coordination with SNOWGLAZE, a Python-based tunneler that can operate in both Windows and Linux environments, SNOWBELT facilitates bidirectional data exchange between the browser and the TCP socket. Data is Base64-encoded within the data field of the following structure:
{
"type": "socks_data",
"conn_id": "",
"data": "bG9yZW0gaXBzdW0="
}
SNOWBELT functions in coordination with SNOWBASIN, a backdoor acting as a local web server (typically on port 8000). It relays decrypted C2 commands—such as command, buffer, flush, and commit—to SNOWBASIN via HTTP POST requests. This establishes a pipeline that facilitates an attacker's journey from initial browser-based access to the internal network of the organization.
In addition to these components, SNOWGLAZE creates a secure, authenticated WebSocket tunnel between the victim's internal network and the attacker's command-and-control (C2) infrastructure. It masks malicious traffic by wrapping data in JSON objects and Base64 encoding it for transfer via WebSockets. This makes the activity appear as standard encrypted web traffic.
The attack vector of this campaign begins with a phishing site, which is followed by the execution of AutoHotKey payloads. A configuration file for the malware is also deployed. RegSrvc.exe masquerades as a "Registration Service," while prompts the user to input email credentials.
Upon successful completion of these staged files, the attacker has secured the credentials and potentially established a persistent foothold on the endpoint using these staged files.
This campaign, dubbed UNC6692, operates as a modular ecosystem comprising three primary components: SNOWBELT, SNOWGLAZE, and SNOWBASIN. These components form a coordinated pipeline that facilitates an attacker's journey from initial browser-based access to the internal network of the organization. The attack vector involves social engineering tactics followed by the deployment of the staged files.
In conclusion, the UNC6692 campaign highlights the sophistication and versatility of modern malware attacks. By analyzing this complex operation, security researchers can gain a better understanding of the tactics employed by attackers to bypass traditional network reputation filters and blend malicious operations into a high volume of encrypted, reputably sourced traffic. This knowledge is crucial for developing effective countermeasures against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Era-of-Malware-Unpacking-the-UNC6692-Campaigns-Sophisticated-Attacks-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/
https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware
https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2025/wochenrueckblick_33.html
Published: Thu Apr 23 11:13:17 2026 by llama3.2 3B Q4_K_M
