Microsoft Ecosystem

UNC6692 Impersonates IT Help Desk via Microsoft Teams to Deploy Snow Malware

The CyberSignal

The CyberSignal

3 min read
Share
Minimalist white line art on slate gray showing a split chat bubble with geometric lines leading to a compromised network node, symbolizing deceptive help desk dialogue in Teams.

A newly-tracked threat cluster, UNC6692, is using social-engineering-driven Teams-chats to pose as IT support, tricking employees into installing a custom modular malware toolkit called SNOW. The attack signals a shift from pure-email-phishing to "chat-based intrusion."

MOUNTAIN VIEW, CALIFORNIA — A sophisticated new threat cluster, identified by the Google Threat Intelligence Group (GTIG) as UNC6692, is weaponizing the high-trust environment of Microsoft Teams to execute deep-network intrusions. Moving beyond traditional email-only phishing, these human-operated attacks use real-time chat interactions to deploy a previously undocumented modular malware family dubbed SNOW.

The campaign specifically targets high-value individuals, with reports from The Hacker News indicating that approximately 77% of identified targets between March and April 2026 held senior-level positions. By compromising these "big fish," UNC6692 gains the credentials and lateral movement opportunities necessary for large-scale data exfiltration.

This operation serves as a concrete, weaponized example of the broader trend Microsoft recently warned of in our previous coverage regarding sharp rises in Teams-based helpdesk impersonation. While the delivery mechanism remains the same, UNC6692 has introduced a custom-built malware suite called SNOW to escalate the threat from simple credential theft to full-scale network compromise.

UNC6692 / SNOW Malware Profile
Metric Detail
Threat Actor UNC6692 (New Threat Cluster)
Primary Vector Teams Cross-Tenant Helpdesk Impersonation
Malware Components SNOWBELT (Backdoor), SNOWGLAZE (Tunnel), SNOWBASIN (Controller)
Target Demographic ~77% Senior-Level Personnel (March–April 2026)

The Attack Chain: From Email Bombing to Teams Chat

The intrusion begins with a disruptive "email bombing" phase, where the target’s inbox is flooded with thousands of spam messages. This creates a state of urgency and distraction, perfectly setting the stage for the "fix."

Shortly after the flood begins, the attacker reaches out via a Microsoft Teams cross-tenant chat, posing as a member of the corporate IT help desk. The "technician" offers to resolve the spam issue, guiding the user to a malicious link. This represents a significant evolution in theTeams-based helpdesk impersonationtrend we have tracked throughout early 2026.

Once the user clicks the link, the technical execution begins:

  1. AutoHotKey Dropper: The link delivers a dropper that executes AutoHotKey scripts — a legitimate automation tool — to bypass traditional antivirus signatures.
  2. Headless Browser Deployment: The script launches a "headless" instance of Microsoft Edge (running in the background without a GUI).
  3. SNOWBELT Extension: A malicious Chrome/Edge extension is installed into this headless instance, serving as the persistent backdoor.

The SNOW Ecosystem: A Modular Toolkit

Unlike one-off droppers, the SNOW family is a cohesive human-operated intrusion toolkit designed for long-term persistence and data theft. According to analysis by SOCPrime and BleepingComputer, the ecosystem consists of three primary components:

  • SNOWBELT: A JavaScript-based backdoor that manages the initial foothold.
  • SNOWGLAZE: A Python-based tunneling tool that establishes a secure, WebSocket-based C2 channel (often hosted on platforms like Heroku).
  • SNOWBASIN: A local HTTP-based controller that executes attacker commands and manages the harvesting of Active Directory database files and LSASS memory.

Exfiltration is equally sophisticated, blending in with legitimate cloud traffic by routing stolen data through AWS S3 buckets and, in some instances, P2P-style file-sharing protocols.

Defender Angle: Securing the Collab Surface

This campaign proves that Microsoft Teams is no longer just a collaboration tool; it is a first-tier attack vector. Organizations must treat Teams chat with the same level of scrutiny as external email.

Recommended Mitigations:

  • Restrict External Access: Configure Microsoft Teams to limit or block cross-tenant "External Access" chats, allowing communication only with verified partner domains.
  • Behavioral Monitoring: Update EDR (Endpoint Detection and Response) rules to flag unusual AutoHotKey executions and headless browser instances (especially msedge.exe running with --headless flags).
  • Employee Awareness: Train staff to verify "uninvited" help desk chats through a secondary, out-of-band channel (like a known internal phone extension) before clicking any links.

The CyberSignal Analysis: Strategic Signals

Signal 01 — The Professionalization of Chat-Ops

UNC6692 represents the professionalization of "Chat-Ops" for crime. By engaging in real-time dialogue, attackers can handle MFA prompts and user hesitations more effectively than an automated bot ever could.

Signal 02 — Living Off the "Automation" Land

By using AutoHotKey and headless browsers, UNC6692 is effectively "living off the automation land." These tools are frequently used by legitimate IT departments, making them the perfect camouflage for modular malware like SNOW.

Signal 03 — A Shift in Identity Trust

The "Teams-as-a-Trusted-Environment" assumption is officially dead. In a Zero Trust architecture, identity must be verified regardless of the platform. This campaign will likely force a major re-evaluation of how enterprises handle cross-tenant collaboration.

Sources

Type Source
Primary Google Threat Intelligence: UNC6692 Deep Dive
Technical SOCPrime: SNOW Ecosystem Analysis
News BleepingComputer: Teams Phishing Alert

Read more