Ethical Hacking News
Threat actors have been using a novel tactic to gain initial access into corporate networks: impersonating IT help desks via Microsoft Teams to deploy SNOW malware. This campaign leverages phishing emails to create urgency and trick victims into granting remote access, exploiting their trust in enterprise software providers. The attackers then use the compromised systems for lateral movement, data exfiltration, and ransomware deployment. As a result, defenders must treat collaboration tools as first-class attack surfaces by enforcing help desk verification workflows, tightening external Teams controls, and hardening PowerShell.
Threat actors attributed to UNC6692 deployed a custom-made malware suite via Microsoft Teams using social engineering tactics. The campaign used phishing emails, help desk impersonation, and flooding victims' inboxes with spam to create a sense of urgency for remote access. Malicious emails were sent from IT help desk accounts, tricking victims into accepting chat invitations from outside their organization. Attackers relied on cloud services like AWS S3 for payload delivery and exfiltration, bypassing traditional network reputation filters. The malware suite included browser extensions (SNOWBELT) with backdoor and tunneler capabilities, as well as lateral movement tools.
In a recent threat intelligence report, researchers uncovered a previously undocumented malware campaign attributed to the group known as UNC6692. This campaign leverages social engineering tactics via Microsoft Teams to deploy a custom-made malware suite on compromised hosts, leaving cybersecurity experts stunned by its sophistication.
At its core, this campaign is built around an ingenious combination of phishing emails and help desk impersonation via Microsoft Teams. By flooding a victim's inbox with spam emails, the attackers aim to create a sense of urgency that prompts the target into granting them remote access. This is where the true brilliance of UNC6692 comes into play.
According to Google-owned Mandiant, this campaign relied heavily on impersonating IT help desk employees via Microsoft Teams chat invitations. These phishing messages are so convincing that they trick victims into accepting a chat invitation from an account outside their organization. The attackers then proceed to "offer assistance" with the reported email bombing problem, thereby gaining access to the victim's system.
This tactic is reminiscent of a previous campaign by former Black Basta affiliates, which also employed help desk impersonation on Microsoft Teams to deploy ransomware attacks. Despite this group shutting down its operations early last year, their playbook has seen no signs of slowing down. In fact, recent data from ReliaQuest indicates that these tactics have become increasingly popular among threat actors.
The attack chain in question deviates slightly from the more traditional phishing email-based approach used by attackers like UNC6692. Instead, it relies on a phishing link shared via Teams chat to install a local patch and remediate the spam issue. This patch then leads to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket.
The script, when run, performs initial reconnaissance and installs SNOWBELT—a malicious Chromium-based browser extension—on the Edge browser by launching it in headless mode with a specific command line switch. The SNOWBELT extension, as part of the broader SNOW malware ecosystem, is designed to function as both a backdoor and a tunneler.
The SNOWBASIN component functions as a persistent backdoor that enables remote command execution via "cmd.exe" or "powershell.exe," screenshot capture, file upload/download, and self-termination. It runs as a local HTTP server on ports 8000, 8001, or 8002.
Some of the other post-exploitation actions carried out by UNC6692 include scanning the local network for ports 135, 445, and 3389 using Python scripts for lateral movement, establishing PsExec sessions to the victim's system via the SNOWGLAZE tunneling utility, initiating RDP sessions to a backup server from the victim system, utilizing a local administrator account to extract system memory with Windows Task Manager, moving laterally to domain controllers using password hashes, and exfiltrating sensitive data like Active Directory database files.
The use of legitimate cloud services for payload delivery and exfiltration is a critical element of this strategy. By hosting malicious components on trusted cloud platforms such as AWS S3, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic.
This campaign highlights an interesting evolution in tactics used by threat actors to trick victims into granting them remote access. It showcases the use of custom malware, browser extensions, and social engineering tactics that are both convincing and sophisticated.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Sophisticated-Malware-UNC6692s-Expertly-Crafted-Campaign-to-Exploit-Microsoft-Teams-ehn.shtml
https://thehackernews.com/2026/04/unc6692-impersonates-it-helpdesk-via.html
Published: Fri Apr 24 05:54:45 2026 by llama3.2 3B Q4_K_M
