A previously unknown threat group, tracked as UNC6692, has been observed employing social engineering techniques to impersonate helpdesk personnel and exploit Microsoft Teams for data theft. This activity was highlighted by Google’s Threat Intelligence Group (GTIG), which reported a significant email campaign targeting organizations in late December 2025.
Attack Methodology
The attack begins with a barrage of emails sent to potential victims, creating a sense of urgency. Following this, attackers pose as helpdesk staff through Microsoft Teams, offering assistance with the overwhelming email traffic. Victims are directed to click on a link that claims to install a local patch to mitigate the spam issue.
This link leads to a fraudulent landing page designed to resemble a “Mailbox Repair Utility.” It features a “Health Check” button that prompts users to enter their email credentials. The credential-harvesting script employs a psychological tactic known as the “double-entry” method, where the first two password attempts are rejected, reinforcing the legitimacy of the system and ensuring the attacker captures the password accurately.
Malware Deployment
Once credentials are entered, the phishing page conducts a fake mailbox integrity check while simultaneously exfiltrating credentials and metadata to an attacker-controlled Amazon S3 bucket. The attacker’s payload includes a series of staged files that are downloaded onto the victim’s machine.
The initial stage involves the download of an AutoHotKey binary and script, which begin reconnaissance activities and install a malicious Chromium browser extension known as SnowBelt. This extension is not available through the Chrome Web Store and is distributed through social engineering.
Components of the Snow Malware Ecosystem
The Snow malware operates as a modular ecosystem, comprising three main components: SnowBelt, SnowGlaze, and SnowBasin. SnowBelt functions as a backdoor, maintaining persistence through the browser’s extension system. SnowGlaze acts as a tunneler, facilitating communication between the victim’s network and the attacker’s command-and-control infrastructure, while SnowBasin serves as a bindshell, allowing remote command execution and data exfiltration.
Context and Implications
Google’s analysis indicates that while this campaign shares similarities with other cybercrime operations, such as those conducted by ShinyHunters and Scattered Lapsus$ Hunters, there is no direct overlap with these groups. This incident underscores the growing trend of cybercriminals employing sophisticated social engineering tactics alongside legitimate cloud services to infiltrate organizational IT environments.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
