Known as a previously undocumented threat activity cluster UNC6692 It has been observed leveraging social engineering tactics via Microsoft Teams to deploy a custom malware suite on a compromised host.
“Like many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing its victims to accept Microsoft Teams chat invitations from an account outside their organization,” Google-owned Mandiant said in a report published today.
UNC6692 has been attributed to a mass email campaign designed to flood a target’s inbox with a flood of spam emails, creating a false sense of urgency. The threat actor then approaches the target Microsoft Teams by sending a message claiming to be from the IT support team to offer assistance with the email bombing problem.
It’s worth noting that this combination of bombarding a victim’s email inbox followed by Microsoft Teams-based help desk impersonation has been a tactic long adopted by former Black Bag associates. Despite the group shutting down its ransomware operations early last year, Playbook shows no signs of slowing down.
In a report published last week, ReliaQuest revealed that this approach is being used to target executives and senior-level employees for early access into corporate networks for potential data theft, lateral movement, ransomware deployment and extortion. In some cases, chats were initiated just 29 seconds apart.
The goal of the conversation is to trick victims into installing a legitimate remote monitoring and management (RMM) tool, such as Quick Assistance or Supremo Remote Desktop, and then weaponize it to drop additional payloads.
“Senior-level employees were targeted in 77% of the incidents observed from March 1 to April 1, 2026, up from 59% in the first two months of 2026,” said ReliaQuest researchers John Dillgen and Alexa Feminella. “This activity shows that the most effective strategy of a threatened group can keep the group alive over the long term.”
On the other hand, the attack series detailed by Mandiant deviates from this approach as the victim is instructed to click on a phishing link shared via Teams chat to install a local patch to address the spam problem. Once it is clicked, it leads to downloading an AutoHotkey script from a threat actor-controlled AWS S3 bucket. The name of the phishing page is “Mailbox Repair and Sync Utility v2.1.5”.
The script is designed to perform initial reconnaissance, and then install a malicious Chromium-based browser extension SNOWBELT on the Edge browser by launching it in headless mode with the “–load-extension” command line switch.
“The attacker used a gatekeeper script designed to ensure that the payload is only delivered to the intended target while bypassing the automated security sandbox,” said Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelly and Muhammad Umair.
“The script also checks the victim’s browser. If the user is not using Microsoft Edge, the page displays a persistent overlay warning. Using the SNOWBELT extension, UNC6692 downloaded additional files, including SNOWGLAZE, SNOWBASIN, AutoHotkey scripts, and a zip archive containing a portable Python executable and required libraries.”
The phishing page is also designed to serve up a configuration management panel with a prominent “Health Check” button that, when clicked, apparently prompts users to enter their mailbox credentials for authentication purposes, but, in reality, is used to collect and extract data to another Amazon S3 bucket.
The SNOW malware ecosystem is a modular toolkit that works together to facilitate an attacker’s goals. While SNOWBELT is a JavaScript-based backdoor that receives commands and relays them to SNOWBASIN for execution, SNOWGLAZE is a Python-based tunneler for creating a secure, authenticated WebSocket tunnel between the victim’s internal network and the attacker’s command-and-control (C2) server.
The third component is SNOWBASIN, which works as a persistent backdoor to enable remote command execution via “cmd.exe” or “powershell.exe,” screenshot capture, file upload/download, and self-termination. It runs as a local HTTP server on port 8000, 8001, or 8002.
Some other post-exploitation tasks performed by UNC6692 after gaining initial access are as follows –
- Use a Python script to scan the local network for ports 135, 445, and 3389 for lateral access, establish a PsExec session to the victim’s system via the SNOWGLAZE tunneling utility, and initiate an RDP session via the SNOWGLAZE tunnel from the victim system to the backup server.
- Use a local administrator account to drain the system’s LSASS process memory with Windows Task Manager for privilege escalation.
- Use pass-the-hash technology to laterally transfer passwords to the network’s domain controllers using advanced users’ password hashes, download and run FTK Imager to capture sensitive data (for example, an Active Directory database file) and write it to the \Downloads folder, and exfiltrate it using the LimeWire file upload tool.
“The UNC6692 campaign demonstrates an interesting evolution in tactics, specifically the use of social engineering, custom malware, and a malicious browser extension that builds on the victim’s implicit trust in several different enterprise software providers,” the tech giant said.
“A key element of this strategy is the systematic misuse of legitimate cloud services for payload delivery and exfiltration and command-and-control (C2) infrastructure. By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and mix with high volumes of legitimate cloud traffic.”
The disclosure comes as Cato Networks detailed a voice phishing-based campaign that leverages similar help desk impersonations on Microsoft Teams to guide victims into executing a WebSocket-based Trojan called PhantomBackdoor via an obfuscated PowerShell script obtained from an external server.
The cybersecurity company said, “This incident shows how help desk impersonation delivered through a Microsoft Teams meeting can replace traditional phishing and still lead to the same outcome: staged PowerShell execution followed by a WebSocket backdoor.”
“Defenders should treat collaboration tools as first-class attack surfaces by implementing help desk verification workflows, tightening external teams and screen-sharing controls, and hardening Powershell.”
