A previously undocumented cluster of threat activity known as UNC6692 has been observed leveraging social engineering tactics via Microsoft Teams to deploy custom malware suites on compromised hosts.
“Like many other intrusions in recent years, UNC6692 relied heavily on impersonating IT help desk employees to persuade victims to accept Microsoft Teams chat invitations from accounts outside their organization,” Mandiant, a Google company, said in a report released today.
UNC6692 is believed to be the result of a large-scale email campaign that aims to overwhelm a target’s inbox with spam emails and create a false sense of urgency. The threat actor then approaches the target via Microsoft Teams by sending a message from the IT support team and offering assistance with the email bomb issue.
It is worth noting that the combination of attacks on victims’ email inboxes followed by impersonation of Microsoft Teams-based help desks is a tactic that has been employed by former Black Basta affiliates for years. Although the group stopped its ransomware operations early last year, its strategy shows no signs of slowing down.
ReliaQuest revealed in a report published last week that this approach is being used to target executives and senior-level employees for initial access to corporate networks for potential data theft, lateral movement, ransomware deployment, and extortion. In some cases, chats started just 29 seconds apart.
The purpose of the conversation is to trick the victim into installing and gaining access to a legitimate remote monitoring and management (RMM) tool, such as Quick Assist or Supremo Remote Desktop, which can then be used as a weapon to drop additional payloads.
“From March 1 to April 1, 2026, 77% of observed incidents targeted senior-level employees, up from 59% in the first two months of 2026,” said ReliaQuest researchers John Dilgen and Alexa Femminella. “This activity shows that a threat group’s most effective tactics can outlive the group itself.”
The attack chain detailed by Mandiant, on the other hand, deviates from this approach by instructing victims to click on a phishing link shared via Teams chat to install a local patch that fixes the spam issue. When clicked, an AutoHotkey script is downloaded from an AWS S3 bucket controlled by the threat actor. The name of the phishing page is “Mailbox Repair and Sync Utility v2.1.5.”
This script is designed to install the malicious Chromium-based browser extension SNOWBELT on the Edge browser by performing initial reconnaissance and launching it in headless mode using the “–load-extension” command line switch.
Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelley and Muhammad Umair said: “The attackers used gatekeeper scripts designed to ensure payloads were delivered only to their intended targets, while bypassing automated security sandboxes.”
“The script also checks the victim’s browser. If the user is not using Microsoft Edge, the page displays a persistent overlay warning. UNC6692 used the SNOWBELT extension to download additional files, including SNOWGLAZE, SNOWBASIN, AutoHotkey scripts, and a ZIP archive containing a portable Python executable and required libraries.”
The phishing page is also designed to function as a configuration management panel with a prominent “health check” button that, when clicked, ostensibly prompts the user to enter mailbox credentials for authentication purposes, but is actually used to collect and exfiltrate data to another Amazon S3 bucket.
The SNOW malware ecosystem is a modular toolkit that works together to accomplish the attacker’s objectives. SNOWBELT is a JavaScript-based backdoor that receives commands and relays them to SNOWBASIN for execution, while SNOWGLAZE is a Python-based tunneler that creates a secure authenticated WebSocket tunnel between the victim’s internal network and the attacker’s command and control (C2) server.
The third component is SNOWBASIN, which acts as a persistent backdoor and allows remote command execution via ‘cmd.exe’ or ‘powershell.exe’, screenshot capture, file upload/download, and self-termination. It runs as a local HTTP server on port 8000, 8001, or 8002.
Some of the other post-exploitation actions performed by UNC6692 after gaining initial access are:
A Python script is used to scan ports 135, 445, and 3389 on the local network for lateral movement, establish a PsExec session to the victim system through the SNOWGLAZE tunneling utility, and initiate an RDP session through the SNOWGLAZE tunnel from the victim system to the backup server. Using the local administrator account, extract the system’s LSASS process memory in Windows Task Manager and perform privilege elevation. Using the Pass-The-Hash technique, use the elevated user’s password hash to move laterally to a domain controller in your network, download and run FTK Imager to capture sensitive data (such as Active Directory database files), write it to the \Downloads folder, and use the LimeWire file upload tool to extract the data.
“The UNC6692 campaign shows an interesting evolution in tactics, particularly the use of social engineering, custom malware, and malicious browser extensions, which take advantage of victims’ inherent trust in multiple different enterprise software providers,” the tech giant said.
“A key element of this strategy is the systematic exploitation of legitimate cloud services for payload delivery and exfiltration and command-and-control (C2) infrastructure. By hosting malicious components on trusted cloud platforms, attackers are often able to bypass traditional network reputation filters and blend in with large volumes of legitimate cloud traffic.”
The disclosure comes as Cato Networks details a voice phishing-based campaign on Microsoft Teams that leverages a similar help desk impersonation to lure victims into running a WebSocket-based Trojan called PhantomBackdoor via an obfuscated PowerShell script retrieved from an external server.
“This incident shows that help desk impersonation delivered through a Microsoft Teams meeting can replace traditional phishing and still result in the same outcome: staged PowerShell execution and subsequent WebSocket backdoor,” the cybersecurity firm said.
“Defenders must treat collaboration tools as a first-class attack surface by enhancing help desk validation workflows, increasing controls for screen sharing with external teams, and hardening PowerShell.”
Source link
