UNC6692 Social Engineering Campaign Deploying SNOW Malware Suite

Summary

The UNC6692 threat actor conducted a sophisticated multistage cyber intrusion campaign leveraging persistent social engineering tactics and deploying a custom modular SNOW malware suite. First observed in late December 2025, the UNC6692 campaign targeted organizations worldwide across Windows and Linux platforms through a coordinated attack involving email bombing, Microsoft Teams impersonation, and credential harvesting. The UNC6692 social engineering campaign employed attackers impersonating IT helpdesk personnel via Microsoft Teams to lure victims into installing the SNOW malware suite, which consists of three primary components: SNOWBELT (browser extension backdoor), SNOWGLAZE (Python tunneler), and SNOWBASIN (Python bindshell).

The UNC6692 attack chain began with email bombing campaigns to create urgency and confusion among targeted victims, followed by fraudulent Microsoft Teams communications directing users to a phishing page hosted on attacker-controlled AWS S3 buckets. This UNC6692 phishing infrastructure harvested credentials through a cleverly designed “double-entry” credential capture mechanism disguised as a “Mailbox Repair and Sync Utility.” Once the SNOW malware suite was deployed, UNC6692 achieved deep network penetration, credential theft, lateral movement via Pass-The-Hash attacks, and data exfiltration through LimeWire and attacker-controlled cloud infrastructure, ultimately compromising Active Directory databases and critical registry hives across targeted organizations worldwide.

Attack Details

Initial Email Bombing and Social Engineering Phase

The UNC6692 campaign began with a simple flood of emails that quickly unfolded into a carefully staged intrusion, blending psychological pressure with technical precision. In late December 2025, UNC6692 launched a large-scale email bombing campaign, overwhelming targets with a surge of messages to induce urgency and confusion. Capitalizing on this chaos, the UNC6692 threat actor followed up via Microsoft Teams, impersonating helpdesk personnel and offering assistance to victims experiencing the email flooding.

UNC6692 victims were guided to install a so-called “local patch” to mitigate the spam, which in reality redirected them to a malicious HTML page hosted on an attacker-controlled AWS S3 bucket. Disguised as a “Mailbox Repair and Sync Utility,” the UNC6692 phishing page enforced specific conditions, such as requiring Microsoft Edge and validating URL parameters, to enhance its credibility. A cleverly designed UNC6692 credential harvesting prompt used a “double-entry” trick, rejecting initial password attempts to simulate user error while ensuring accurate credential capture. Meanwhile, stolen data was quietly exfiltrated via asynchronous PUT requests, masked behind a deceptive progress bar controlled by UNC6692.

SNOWBELT Browser Extension Deployment

Once initial access was secured by UNC6692, the operation shifted into a more technical phase. Victims unknowingly downloaded a renamed AutoHotKey binary along with a malicious script, which executed reconnaissance commands and deployed SNOWBELT, a rogue Chromium-based browser extension posing as “MS Heartbeat” or “System Heartbeat.” Persistence was methodically established by UNC6692 through startup folder shortcuts and scheduled tasks that ensured the SNOWBELT extension ran silently in the background.

SNOWBELT acted as a command relay, bridging communication between the UNC6692 attacker and SNOWBASIN, a Python-based backdoor operating locally. Leveraging techniques such as time-based domain generation algorithms (DGA), AES-GCM encryption, and browser push notifications, the SNOW malware suite maintained resilient and covert command-and-control (C2) communication for UNC6692 operations.

SNOWGLAZE Tunneling and Network Reconnaissance

Building on this foothold, UNC6692 expanded its toolkit by deploying additional payloads, including SNOWGLAZE, SNOWBASIN, and supplementary AutoHotKey scripts, along with a portable Python environment. Internal reconnaissance followed, with UNC6692 scripts scanning for commonly exposed ports such as 135, 445, and 3389. Using SNOWGLAZE, a cross-platform tunneling utility, the UNC6692 attacker established a secure WebSocket-based channel to a cloud-hosted C2 infrastructure, effectively transforming the compromised system into a SOCKS proxy.

This SNOWGLAZE tunnel allowed UNC6692 to route arbitrary TCP traffic discreetly, with data encapsulated in JSON and Base64-encoded to blend in with normal encrypted web traffic. The SNOWGLAZE component of the SNOW malware suite enabled UNC6692 to maintain persistent access while evading network detection mechanisms across targeted organizations.

Lateral Movement and Active Directory Compromise

With internal access deepening, UNC6692 moved laterally across the network. Through the SNOWGLAZE tunnel, the UNC6692 attacker initiated remote sessions using Sysinternals PsExec to enumerate administrative accounts and extend control. Access to a backup server via RDP marked a critical escalation point for UNC6692, where LSASS process memory was dumped using Windows Task Manager and exfiltrated via LimeWire.

Credential material extracted offline enabled UNC6692 Pass-the-Hash attacks, granting access to domain controllers. From there, the UNC6692 threat actor deployed FTK Imager to extract high-value assets, including the Active Directory database (NTDS.dit) and critical registry hives such as SAM, SYSTEM, and SECURITY. These were also exfiltrated through LimeWire by UNC6692, while telemetry indicated targeted screen captures of sensitive operations, suggesting deliberate verification of data theft. The UNC6692 campaign ultimately culminated in a full-scale compromise, with attackers achieving their objective of extensive credential harvesting and Active Directory exfiltration.

Recommendations

Block Attacker-Controlled S3 Buckets

Immediately block all identified attacker-controlled AWS S3 bucket domains at the network perimeter, including service-page-25144-30466-outlook.s3.us-west-2.amazonaws[.]com, cloudfront-021.s3.us-west-2.amazonaws[.]com, and service-page-11369-28315-outlook.s3.us-west-2.amazonaws[.]com. These UNC6692 infrastructure domains were used to host phishing pages and deliver the SNOW malware suite components.

Block SNOWGLAZE C2 WebSocket URL

Add the hard-coded SNOWGLAZE C2 endpoint wss://sad4w7h913-b4a57f9c36eb.herokuapp[.]com/ws to network blocklists and monitor for WebSocket connections to Heroku subdomains exhibiting tunneling behavior. This SNOWGLAZE C2 infrastructure enabled UNC6692 to maintain persistent command-and-control communications and establish SOCKS proxy tunnels across compromised networks.

Restrict External Microsoft Teams Communications

Configure Microsoft Teams to block or flag chat invitations from external tenants, particularly those impersonating IT helpdesk roles, to prevent the social engineering vector used in this UNC6692 campaign. The UNC6692 threat actor leveraged Microsoft Teams impersonation as a critical initial access technique following email bombing operations.

Audit and Control Browser Extension Installations

Enforce policies that prevent the sideloading of Chromium browser extensions outside of official stores. Monitor for extensions installed under non-standard directories such as AppData\Local\Microsoft\Edge\Extension Data\SysEvents. The SNOWBELT browser extension backdoor was a critical component of the UNC6692 SNOW malware suite, providing command relay capabilities between attackers and compromised systems.

Monitor for Scheduled Task Abuse

Establish detection rules for newly created scheduled tasks that invoke Microsoft Edge with headless flags (–headless=new), –load-extension parameters, or non-standard –user-data-dir paths, which are indicators of SNOWBELT persistence mechanisms deployed by UNC6692.

Detect AutoHotKey Abuse

Alert on AutoHotKey binary execution in non-development environments, particularly when AutoHotKey binaries are renamed or executed from user-writable directories such as Downloads or AppData. UNC6692 leveraged renamed AutoHotKey binaries to deploy reconnaissance scripts and SNOW malware suite components across targeted systems.

MITRE ATT&CK TTPs

Initial Access

• T1566: Phishing
  • T1566.002: Spearphishing Link

Execution

• T1053: Scheduled Task/Job
  • T1053.005: Scheduled Task
• T1059: Command and Scripting Interpreter
  • T1059.001: PowerShell
  • T1059.003: Windows Command Shell
  • T1059.006: Python
  • T1059.007: JavaScript
  • T1059.010: AutoHotKey & AutoIT
• T1204: User Execution
  • T1204.001: Malicious Link
  • T1204.002: Malicious File
• T1559: Inter-Process Communication
• T1569: System Services
  • T1569.002: Service Execution

Persistence

• T1176: Browser Extensions
  • T1176.001: Browser Extensions
• T1543: Create or Modify System Process
  • T1543.003: Windows Service
• T1547: Boot or Logon Autostart Execution
  • T1547.001: Registry Run Keys / Startup Folder
  • T1547.009: Shortcut Modification

Privilege Escalation

• T1068: Exploitation for Privilege Escalation

Defense Evasion

• T1027: Obfuscated Files or Information
  • T1027.010: Command Obfuscation
  • T1027.015: Compression
• T1036: Masquerading
  • T1036.005: Match Legitimate Resource Name or Location
• T1070: Indicator Removal
  • T1070.004: File Deletion
• T1112: Modify Registry
• T1134: Access Token Manipulation
  • T1134.001: Token Impersonation/Theft
• T1140: Deobfuscate/Decode Files or Information
• T1202: Indirect Command Execution
• T1564: Hide Artifacts
  • T1564.001: Hidden Files and Directories
  • T1562.001: Disable or Modify Tools
• T1622: Debugger Evasion

Credential Access

• T1003: OS Credential Dumping
  • T1003.001: LSASS Memory
  • T1003.002: Security Account Manager
  • T1003.003: NTDS
• T1110: Brute Force
  • T1110.001: Password Guessing
  • T1110.003: Password Spraying
• T1552: Unsecured Credentials
  • T1552.001: Credentials In Files

Discovery

• T1016: System Network Configuration Discovery
• T1018: Remote System Discovery
• T1046: Network Service Discovery
• T1087: Account Discovery
  • T1087.001: Local Account
• T1007: System Service Discovery
• T1012: Query Registry
• T1033: System Owner/User Discovery
• T1057: Process Discovery
• T1082: System Information Discovery
• T1083: File and Directory Discovery
• T1518: Software Discovery

Lateral Movement

• T1021: Remote Services
  • T1021.001: Remote Desktop Protocol
  • T1021.002: SMB/Windows Admin Shares

Collection

• T1005: Data from Local System
• T1074: Data Staged
• T1113: Screen Capture
• T1560: Archive Collected Data
  • T1560.001: Archive via Utility

Exfiltration

• T1567: Exfiltration Over Web Service
  • T1567.002: Exfiltration to Cloud Storage
• T1020: Automated Exfiltration

Command and Control

• T1071: Application Layer Protocol
  • T1071.001: Web Protocols
• T1090: Proxy
• T1105: Ingress Tool Transfer
• T1572: Protocol Tunneling

Resource Development

• T1608: Stage Capabilities
  • T1608.002: Upload Tool
  • T1608.005: Link Target

Impact

• T1489: Service Stop

Indicators of Compromise (IoCs)

URLs

• service-page-25144-30466-outlook[.]s3[.]us-west-2[.]amazonaws[.]com
• cloudfront-021[.]s3[.]us-west-2[.]amazonaws[.]com
• service-page-11369-28315-outlook[.]s3[.]us-west-2[.]amazonaws[.]com
• wss[:]//sad4w7h913-b4a57f9c36eb[.]herokuapp[.]com/ws

SHA256 Hashes

• 2fa987b9ed6ec6d09c7451abd994249dfaba1c5a7da1c22b8407c461e62f7e49
• c8940de8cb917abe158a826a1d08f1083af517351d01642e6c7f324d0bba1eb8
• 7f1d71e1e079f3244a69205588d504ed830d4c473747bb1b5c520634cc5a2477
• ca390b86793922555c84abc3b34406da2899382c617f9dcf83a74ac09dd18190
• 6e6dab993f99505646051d2772701e3c4740096ff9be63c92713bcb7fcddf9f7
• de200b79ad2bd9db37baeba5e4d183498d450494c71c8929433681e848c3807f

File Paths

• C:\ProgramData\log
• C:\Users<user>\AppData\Local\Microsoft\Edge\ExtensionData\SysEvents\background.js
• C:\Users<user>\AppData\Local\Microsoft\Edge\ExtensionData\SysEvents\dream.js
• C:\Users<user>\AppData\Local\Microsoft\Edge\ExtensionData\SysEvents\dream.html
• C:\Users<user>\AppData\Local\Microsoft\Edge\ExtensionData\SysEvents\helper.html

References

https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/