Ethical Hacking News
UNC6692 has been observed impersonating IT helpdesk employees via Microsoft Teams to deploy custom malware on compromised hosts, using social engineering tactics to trick victims into installing legitimate RMM tools. The campaign highlights the importance of treating collaboration tools as first-class attack surfaces by enforcing help desk verification workflows and tightening external Teams and screen-sharing controls.
The threat actor UNC6692 has demonstrated an unparalleled level of sophistication by leveraging social engineering tactics via Microsoft Teams to deploy a custom malware suite on compromised hosts. The campaign involves a combination of bombarding victims' email inboxes with spam emails followed by Microsoft Teams-based help desk impersonation. Threat actor has been observed hosting malicious components on trusted cloud platforms such as Amazon S3, allowing it to bypass traditional network reputation filters and blend into legitimate cloud traffic. The malware suite deployed by UNC6692 consists of several components, including SNOWBELT and SNOWGLAZE, which create a secure, authenticated WebSocket tunnel between the victim's internal network and the attacker's command-and-control (C2) server. The attack chain involves tricking victims into installing legitimate remote monitoring and management (RMM) tools to drop additional payloads. 77% of observed incidents targeted senior-level employees, highlighting the effectiveness of this threat group's most effective tactics.
The cybersecurity landscape has witnessed a multitude of sophisticated threats in recent years, but none have been as ingenious as the campaign attributed to UNC6692. This threat actor has demonstrated an unparalleled level of sophistication by leveraging social engineering tactics via Microsoft Teams to deploy a custom malware suite on compromised hosts. The campaign, which involves a combination of bombarding victims' email inboxes with spam emails followed by Microsoft Teams-based help desk impersonation, is a masterclass in evasive tactics.
According to a report published by Mandiant, the threat actor has been observed impersonating IT helpdesk employees via Microsoft Teams to deploy a custom malware suite on compromised hosts. The approach relies heavily on creating a false sense of urgency by flooding victims' email inboxes with spam emails, only to follow up with a message claiming to be from the IT support team offering assistance with the email bombing problem.
The use of social engineering tactics is not new in the world of cybersecurity, but what makes UNC6692's approach particularly noteworthy is its reliance on legitimate cloud services for payload delivery and exfiltration. The threat actor has been observed hosting malicious components on trusted cloud platforms such as Amazon S3, which allows it to bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic.
The malware suite deployed by UNC6692 consists of several components, including SNOWBELT, a malicious Chromium-based browser extension, and SNOWGLAZE, a Python-based tunneler that creates a secure, authenticated WebSocket tunnel between the victim's internal network and the attacker's command-and-control (C2) server. The third component is SNOWBASIN, which operates as a persistent backdoor to enable remote command execution via "cmd.exe" or "powershell.exe," screenshot capture, file upload/download, and self-termination.
The attack chain detailed by Mandiant reveals that the phishing page shared via Teams chat leads to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket. The script is designed to perform initial reconnaissance and then install SNOWBELT on the Edge browser by launching it in headless mode along with the "--load-extension" command line switch.
The use of legitimate cloud services for payload delivery and exfiltration is not a new tactic employed by threat actors, but what makes UNC6692's approach particularly noteworthy is its reliance on social engineering tactics to trick victims into installing legitimate remote monitoring and management (RMM) tools such as Quick Assist or Supremo Remote Desktop. The goal of the conversation is to trick victims into installing these tools, which are then weaponized to drop additional payloads.
The campaign has been observed targeting senior-level employees for initial access into corporate networks for potential data theft, lateral movement, ransomware deployment, and extortion. In some cases, chats were initiated just 29 seconds apart, highlighting the threat actor's efforts to create a sense of urgency and panic among its victims.
The use of social engineering tactics is a hallmark of UNC6692's approach, and it is clear that this threat actor has been influenced by previous campaigns such as those carried out by former Black Basta affiliates. Despite the group shutting down its ransomware operations early last year, the playbook has witnessed no signs of slowing down.
The attack chain detailed by ReliaQuest reveals that 77% of observed incidents targeted senior-level employees between March 1 and April 1, 2026, up from 59% in the first two months of 2026. This activity demonstrates that a threat group's most effective tactics can long outlive the group itself.
The campaign has been attributed to a large email campaign designed to overwhelm a target's inbox with a flood of spam emails, creating a false sense of urgency. The use of legitimate cloud services for payload delivery and exfiltration is not a new tactic employed by threat actors, but what makes UNC6692's approach particularly noteworthy is its reliance on social engineering tactics.
The disclosure comes as Cato Networks detailed a voice phishing-based campaign that leverages similar help desk impersonation on Microsoft Teams to guide victims into executing a WebSocket-based trojan dubbed PhantomBackdoor via an obfuscated PowerShell script retrieved from an external server. The incident highlights the importance of treating collaboration tools as first-class attack surfaces by enforcing help desk verification workflows, tightening external Teams and screen-sharing controls, and hardening PowerShell.
In conclusion, the campaign attributed to UNC6692 is a sophisticated example of social engineering tactics being employed to deploy custom malware on compromised hosts. The use of legitimate cloud services for payload delivery and exfiltration is not a new tactic in the world of cybersecurity, but what makes this approach particularly noteworthy is its reliance on social engineering tactics to trick victims into installing legitimate RMM tools.
The incident highlights the importance of keeping employees vigilant when it comes to email and collaboration tool phishing attempts. It also underscores the need for organizations to have robust security measures in place to detect and prevent such threats. By taking a proactive approach to cybersecurity, organizations can reduce the risk of falling victim to such threats and minimize the potential damage.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evasive-Tactics-of-UNC6692-A-Sophisticated-Malware-Campaign-Leveraging-Social-Engineering-and-Cloud-Services-ehn.shtml
Published: Thu Apr 23 15:11:59 2026 by llama3.2 3B Q4_K_M
