Ethical Hacking News
A new threat group has been identified by Google's Threat Intelligence Group that is using advanced social engineering tactics to impersonate helpdesk personnel and steal sensitive data from unsuspecting organizations. Learn more about this sophisticated phishing scam and the custom malware being used.
Google's Threat Intelligence Group has identified a new threat group, UNC6692, using advanced social engineering tactics to impersonate helpdesk personnel and steal sensitive data. The attack starts with overwhelming spam email traffic and prompts victims to click on a link that installs custom malware. The malware, known as SnowBelt, is delivered as a Chromium browser extension and allows attackers to download additional malware components. The attackers use a combination of tactics, including social engineering, custom malware, and command-and-control infrastructure to exfiltrate stolen data. Google's analysis highlights the increasing sophistication of phishing campaigns and the importance of staying vigilant in protecting sensitive data.
In recent months, a new threat group has been identified by Google's Threat Intelligence Group (GTIG) that is using advanced social engineering tactics to impersonate helpdesk personnel and steal sensitive data from unsuspecting organizations. This threat group, which has been tracked as UNC6692, has been spotted using custom malware in its data-stealing attacks, making it a significant concern for cybersecurity professionals.
The attack begins with an overwhelming amount of spam email traffic sent to target organizations, prompting someone posing as helpdesk personnel to reach out via Microsoft Teams to offer assistance. The fake helpdesk worker prompts the user to click a link that supposedly installs a local patch that prevents email spamming. This directs victims to a landing page masquerading as a "Mailbox Repair Utility" complete with a "Health Check" button.
Upon clicking on this button, users are prompted to authenticate using their email and password, allowing the attackers to harvest these credentials. The phishing page then performs a fake mailbox integrity check, which keeps the victim engaged while credentials and metadata are sent to an attacker-controlled Amazon S3 bucket.
The attackers have also developed a custom malware named SnowBelt, which is delivered as a Chromium browser extension. This extension allows the attackers to download additional malware components, including SnowGlaze and SnowBasin, from remote sources. The SnowGlaze component is a Python-based tunneler that runs in both Windows and Linux environments and manages external communication.
SnowGlaze creates an authenticated WebSocket tunnel between the victim's internal network and the attacker's command-and-control (C2) infrastructure, such as a Heroku subdomain. This allows the attackers to exfiltrate stolen data from the compromised system. Additionally, SnowGlaze disguises malicious traffic by wrapping it in JSON objects and Base64 encoding it for transfer via WebSockets.
The final component of this malware ecosystem is SnowBasin, a Python bindshell providing interactive control over the infected system. This allows the attackers to execute commands remotely on the compromised machine, as well as capture screenshots and exfiltrate data. The attackers can also relay commands sent through the SnowGlaze tunnel using HTTP POST requests.
Google's analysis of UNC6692 and its Teams-led social engineering campaign reveals that this group is using a sophisticated combination of tactics, including custom malware, social engineering, and command-and-control infrastructure. The use of custom malware allows them to maintain persistence on compromised systems and exfiltrate data in a more secure manner than traditional phishing attacks.
It's worth noting that while the attackers are using advanced techniques, there appears to be no overlap between this group and other known threat actors such as ShinyHunters or Scattered Lapsus$ Hunters. However, Google's analysis does highlight the increasing sophistication of phishing campaigns and the importance of staying vigilant in protecting sensitive data.
This attack is a reminder that cybersecurity professionals must stay up-to-date on the latest threats and tactics, including advanced social engineering techniques and custom malware. By understanding these tactics, organizations can better prepare themselves to detect and respond to similar attacks in the future.
In conclusion, UNC6692 represents a significant threat to organizations that use Microsoft Teams for collaboration and communication. The group's use of custom malware and social engineering tactics makes it a sophisticated and formidable opponent. As cybersecurity professionals continue to evolve and improve their defenses, it's essential to stay informed about emerging threats like UNC6692.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Sophisticated-Phishing-Scam-The-Rise-of-Custom-Malware-and-Social-Engineering-Tactics-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/04/25/new_crime_crew_impersonates_help_desks/
https://www.theregister.com/2026/04/25/new_crime_crew_impersonates_help_desks/
https://www.techrepublic.com/article/news-hackers-microsoft-teams-social-engineering-it-help-desk-scam/
Published: Sat Apr 25 05:13:56 2026 by llama3.2 3B Q4_K_M
