Security

Breach Alert: Cybercriminal Poses as IT Helpdesk on Microsoft Teams to Spread SNOW Malware

Published

2 hours ago

April 24, 2026

UNC6692: New Threat Leveraging Social Engineering via Microsoft Teams

A recent discovery in the cybersecurity realm has unveiled a previously unknown threat group named UNC6692. This group has been utilizing social engineering tactics through Microsoft Teams to distribute a custom malware suite on compromised devices.

According to a report by Mandiant, UNC6692 has been employing a strategy of impersonating IT helpdesk personnel to deceive victims into accepting Microsoft Teams chat invitations from external accounts. This allows the threat actor to initiate contact with the victim under the guise of offering help with an email bombardment issue.

The modus operandi of UNC6692 involves inundating a target’s email inbox with a deluge of spam emails, creating a sense of urgency. Subsequently, the threat actor engages the target on Microsoft Teams, posing as part of the IT support team to provide assistance with the email onslaught problem.

Although the notorious Black Basta affiliates ceased their ransomware activities last year, UNC6692 has adopted a similar playbook of email bombardment followed by Microsoft Teams-based help desk impersonation to perpetrate cyberattacks.

Recent reports by ReliaQuest have highlighted how this tactic is being used to target high-ranking executives within organizations for initial access to corporate networks. The ultimate goal is to facilitate data theft, lateral movement, ransomware deployment, and extortion.

During the observed period from March 1 to April 1, 2026, a significant increase in incidents targeting senior-level employees has been noted. This demonstrates the adaptability and longevity of threat groups in employing effective tactics over time.

Contrary to the usual approach, the attack chain detailed by Mandiant involves instructing the victim to click on a phishing link shared via Teams chat to install a local patch to resolve the spam issue. This action leads to the download of a malicious AutoHotkey script from a threat actor-controlled AWS S3 bucket, disguised as a “Mailbox Repair and Sync Utility v2.1.5.”

The script is designed to conduct initial reconnaissance and deploy SNOWBELT, a malicious Chromium-based browser extension, on the victim’s Edge browser. This extension enables the threat actor to gain hands-on access to the compromised system and deliver additional payloads.

The attack strategy further involves a phishing page that checks the victim’s browser and displays a persistent overlay warning if Microsoft Edge is not in use. The phishing page serves as a gateway to deliver additional malicious components, including SNOWGLAZE, SNOWBASIN, AutoHotkey scripts, and a Python executable and libraries archive.

The SNOW malware ecosystem comprises three components working in tandem to achieve the attacker’s objectives. SNOWBELT functions as a JavaScript-based backdoor, relaying commands to SNOWBASIN for execution, while SNOWGLAZE acts as a Python-based tunneler to establish a secure WebSocket connection between the victim’s network and the attacker’s command-and-control server.

SNOWBASIN operates as a persistent backdoor, allowing remote command execution, screenshot capture, file upload/download, and self-termination by running as a local HTTP server on specific ports.

Post gaining initial access, UNC6692 executes various post-exploitation actions, including scanning the local network for lateral movement opportunities, utilizing privileged accounts for data extraction and exfiltration, and employing techniques like Pass-The-Hash for network traversal.

The evolving tactics of UNC6692 underscore the significance of social engineering, custom malware deployment, and malicious browser extensions in modern cyber threats. By exploiting the trust associated with enterprise software providers, threat actors can bypass traditional security measures and operate stealthily within cloud platforms.

Recent revelations by Cato Networks have shed light on a voice phishing campaign leveraging Microsoft Teams for help desk impersonation to distribute a WebSocket-based trojan named PhantomBackdoor through PowerShell scripts.

Defenders are urged to prioritize collaboration tools as potential attack vectors and implement stringent verification processes, enhance external Teams controls, and secure PowerShell configurations to mitigate such threats effectively.