Ethical Hacking News
A threat actor has been using Microsoft Teams to deploy custom "Snow" malware, which includes a browser extension, tunneler, and backdoor. The attackers use social engineering tactics to trick victims into granting remote access, with the goal of stealing sensitive data after deep network compromise.
MICROSOFT TEAMS used as vector for deploying custom malware "Snow" by UNC6692 threat actor. Social engineering tactics employed to trick victims into granting remote access via Quick Assist or other remote access tools. Initial phishing campaign creates urgency, installing a dropper that executes AutoHotkey scripts loading SnowBelt malicious Chrome extension. SnowBelt extension serves as persistence and relay mechanism for commands sent to SnowBasin backdoor. SnowGlaze tunneler tool establishes WebSocket tunnel between host and C2 infrastructure, masking communications. SnowBasin runs local HTTP server, executes attacker-supplied CMD or PowerShell commands on infected system, relaying results back to operator. Threat actor performs internal reconnaissance, lateral movement, and credential data extraction using FTK Imager. "Snow" toolset provides extensive IoCs and YARA rules for detection, with a potential imminent wave of new exploits.
Microsoft Teams has been used as a vector for deploying new custom malware, dubbed "Snow", by a threat actor identified as UNC6692. According to Google's Mandiant researchers, the attackers employ social engineering tactics to trick victims into granting remote access via Quick Assist or other remote access tools.
The initial phishing campaign creates urgency and prompts the victim to click on a link that would block email spam. However, in reality, the link installs a dropper that executes AutoHotkey scripts loading "SnowBelt", a malicious Chrome extension. This extension operates on a headless Microsoft Edge instance, ensuring the victim remains unaware of the malware's presence.
The SnowBelt extension serves as a persistence mechanism and relay mechanism for commands sent by the operator to the Python-based backdoor, SnowBasin. SnowGlaze, a tunneler tool, establishes a WebSocket tunnel between the host and the command-and-control (C2) infrastructure, masking communications. This allows arbitrary TCP traffic to be routed through the infected host.
SnowBasin runs a local HTTP server and executes attacker-supplied CMD or PowerShell commands on the infected system, relaying results back to the operator. The malware supports remote shell access, data exfiltration, file download, screenshot capturing, and basic file management operations.
Post-compromise, the attackers performed internal reconnaissance by scanning for services such as SMB and RDP to identify additional targets. They then moved laterally on the network using pass-the-hash techniques to authenticate to additional hosts, eventually reaching domain controllers. The threat actor deployed FTK Imager to extract sensitive credential data from the network.
The "Snow" toolset provides extensive indicators of compromise (IoCs) and YARA rules to aid in detection. In a related development, AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes, hinting at an imminent wave of new exploits.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Malware-Threat-Actor-Uses-Microsoft-Teams-to-Deploy-Custom-Snow-Malware-ehn.shtml
https://www.bleepingcomputer.com/news/security/threat-actor-uses-microsoft-teams-to-deploy-new-snow-malware/
https://thehackernews.com/2026/04/unc6692-impersonates-it-helpdesk-via.html
https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware
https://www.sans.org/blog/forensics-101-acquiring-an-image-with-ftk-imager
https://hackercoolmagazine.com/beginners-guide-to-ftk-imager/
Published: Sat Apr 25 11:12:53 2026 by llama3.2 3B Q4_K_M
