UNC6692 Uses Teams Impersonation to Deploy SNOW Malware

UNC6692 Uses Teams Impersonation to Deploy SNOW Malware | Quick Digest
A new threat actor, UNC6692, is employing social engineering tactics through Microsoft Teams, impersonating IT help desk employees to deploy the SNOW malware. This sophisticated attack chain begins with an email bombing campaign to create urgency, followed by a Teams message offering assistance, leading victims to install malicious payloads. The malware allows for persistent access, data exfiltration, and potential ransomware deployment.

Key Highlights

  • UNC6692 group impersonates IT help desk staff on Microsoft Teams.
  • Attack begins with email flooding, followed by Teams phishing.
  • Custom SNOW malware suite deployed via social engineering.
  • Attackers aim for persistent access and data exfiltration.
  • Senior-level employees are increasingly targeted.
  • Abuse of legitimate cloud services aids evasion.
A newly identified threat actor, designated as UNC6692, is actively engaging in sophisticated social engineering campaigns, leveraging Microsoft Teams to deploy a custom malware suite known as SNOW. This operation, detailed by Google-owned Mandiant and other cybersecurity researchers, marks a significant evolution in attack vectors, moving beyond traditional email phishing to exploit the perceived trust within collaboration platforms. The attack chain initiated by UNC6692 typically begins with a large-scale email bombing campaign. This tactic is designed to overwhelm the target's inbox, creating a sense of urgency and confusion. As victims become inundated with emails, they are more likely to seek assistance or fall for subsequent social engineering attempts. Following the email bombardment, UNC6692 actors reach out to their targets directly via Microsoft Teams. They impersonate IT help desk employees, offering to resolve the email flooding issue. This impersonation is crucial to the attack's success, as users often perceive internal communication platforms like Teams as secure and trustworthy environments, making them more susceptible to deception. The ultimate goal is to trick the victim into accepting a Teams chat invitation from an external account and clicking on a malicious link. This link, disguised as a patch or fix for the email problem, leads to the download of malicious files, often hosted on legitimate cloud services like AWS S3 to evade detection. These files can include AutoHotkey scripts and binaries that, when executed, install the SNOW malware. The SNOW malware ecosystem is modular and comprises several components designed to facilitate the attackers' objectives. SNOWBELT functions as a JavaScript-based backdoor, SNOWGLAZE is a Python-based tunneler for establishing secure C2 communication, and SNOWBASIN acts as a persistent backdoor enabling remote command execution, file transfer, and screenshot capabilities. Once established, the malware allows UNC6692 to gain persistent access to compromised hosts, conduct reconnaissance, exfiltrate data using tools like Rclone, and potentially deploy further payloads such as ransomware. The attackers also leverage legitimate remote monitoring and management (RMM) tools like Quick Assist or Supremo Remote Desktop to ensure persistence, even if initial artifacts are detected and removed. Researchers note that UNC6692 systematically abuses legitimate cloud services for various stages of the attack, including payload delivery, command-and-control (C2) infrastructure, and data exfiltration. This strategy helps them bypass traditional network reputation filters and blend in with legitimate cloud traffic. An alarming trend observed in these attacks is the increasing targeting of senior-level employees. Between March 1 and April 1, 2026, 77% of observed incidents targeted executives and high-level staff, up from 59% in the preceding months. This focus on high-value targets suggests a strategic approach to gain deeper access into corporate networks. The tactics employed by UNC6692, such as impersonating IT support and using a combination of email flooding and Teams-based social engineering, echo methods previously used by former Black Basta affiliates, indicating a persistence of effective attack playbooks. While Microsoft Teams is a powerful collaboration tool, its vulnerabilities in handling external guest access and message spoofing create opportunities for such attacks. Cybersecurity experts emphasize the need for organizations to implement robust user awareness training, monitor external Teams invitations, enforce multi-factor authentication, and maintain vigilance against social engineering tactics, especially impersonation on collaboration platforms. Regarding the relevance to India, the increasing digital transformation and adoption of collaboration tools like Microsoft Teams in Indian businesses make them potential targets. India's critical infrastructure and corporate sectors are already facing rising cyber threats from various state and non-state actors. Therefore, awareness of these evolving attack vectors is crucial for Indian organizations to strengthen their defenses against sophisticated social engineering campaigns. The use of legitimate cloud services for malicious purposes also aligns with broader trends in cybercrime observed globally and within India.

Frequently Asked Questions

Who is UNC6692 and what is their primary tactic?

UNC6692 is a previously undocumented threat activity cluster that specializes in social engineering attacks. Their primary tactic involves impersonating IT help desk employees through Microsoft Teams to trick victims into downloading and installing malware.

How does the UNC6692 attack typically unfold?

The attack usually starts with a large email campaign to flood a target's inbox, creating a sense of urgency. Then, the attacker contacts the victim via Microsoft Teams, posing as IT support, to offer help and guide them into clicking a malicious link or downloading a supposed 'fix,' which is actually malware.

What is the SNOW malware and what can it do?

SNOW is a custom, modular malware suite used by UNC6692. It enables attackers to gain persistent access to compromised systems, execute remote commands, transfer files, capture screenshots, and potentially deploy further malicious payloads like ransomware.

Why is Microsoft Teams being targeted in these attacks?

Microsoft Teams is targeted because it is a widely used collaboration platform where employees often have a higher level of trust in communications, especially when impersonated by someone claiming to be from the IT department. This trust can be exploited to bypass traditional security measures.

Are there specific targets for UNC6692 attacks?

Recent trends indicate that UNC6692 is increasingly targeting senior-level employees and executives. This is likely due to their privileged access within organizations, making them high-value targets for gaining deeper network access and exfiltrating sensitive data.

Read Full Story on Quick Digest