UNC6692 uses teams helpdesk scam to deploy SNOW malware

Cyber threat cluster UNC6692 used Microsoft Teams messages that impersonated IT helpdesk staff to push a fake “Mailbox Repair and Sync Utility v2.1.5,” then delivered a modular SNOW malware suite to corporate machines, Mandiant reported. The operation began with an email flooding campaign to create urgency before attackers followed up with cross-tenant Teams chats offering help.

The Teams message included a link to a phishing page that downloaded an AutoHotkey script from an attacker-controlled AWS S3 bucket. Mandiant described the script as a gatekeeper that performed initial reconnaissance, checked the victim’s browser and hindered execution in automated sandboxes. If Microsoft Edge was present, the script launched Edge in headless mode with the –load-extension flag to install a malicious Chromium extension called SNOWBELT. The phishing page also displayed a configuration panel with a “Health Check” button that prompted for mailbox credentials, which were captured and exfiltrated to another S3 bucket.

The SNOW toolkit is modular. SNOWBELT is a JavaScript backdoor that accepts commands and forwards execution to SNOWBASIN. SNOWGLAZE is a Python tunneler that creates an authenticated WebSocket tunnel from inside the victim network to the attacker’s command-and-control server. SNOWBASIN runs as a persistent backdoor that can execute commands via cmd.exe or powershell.exe, capture screenshots, transfer files and self-terminate while hosting a local HTTP server on ports 8000 through 8002.

Post-compromise steps observed by the investigators included running a Python script to scan local systems for ports 135, 445 and 3389 to identify lateral movement paths, creating PsExec sessions over the SNOWGLAZE tunnel and initiating RDP connections through that tunnel. Attackers used local administrator accounts to dump LSASS memory via Task Manager for credential escalation, applied Pass-the-Hash techniques to access domain controllers, ran FTK Imager to capture files such as the Active Directory database, and staged data exfiltration using tools including LimeWire. Mandiant also reported additional artifacts delivered by SNOWBELT, including AutoHotkey scripts and a ZIP archive containing a portable Python executable and supporting libraries.

Mandiant highlighted the use of legitimate cloud and enterprise services for payload hosting, command-and-control and data exfiltration, enabling malicious traffic to blend with normal cloud activity. Cato Networks observed a related voice-phishing approach that used Teams meeting impersonation to prompt victims to run an obfuscated PowerShell script that deployed a WebSocket-based backdoor. Microsoft has warned that cross-tenant Teams communications can be used to deliver remote support tools such as Quick Assist to obtain interactive control and enable credential-backed lateral movement using native administrative protocols and commercial remote management software.

ReliaQuest reported that the pattern of inbox flooding followed by helpdesk impersonation is increasingly aimed at senior executives; between March 1 and April 1, 2026, 77% of observed incidents targeted senior-level employees, up from 59% in January and February 2026.

Security firms recommend that organizations treat collaboration platforms as attack surfaces, verify external help-desk requests, limit external communications and screen sharing, and restrict PowerShell and remote-assistance workflows to reduce the risk of similar intrusions.