UNC6692 SNOW malware social-engineering campaign

Summary

Google Cloud / Mandiant describes UNC6692 as a threat cluster that used social engineering to deploy a custom malware ecosystem named SNOWBELT, SNOWGLAZE, and SNOWBASIN. The campaign began with high-volume mailbox abuse and Microsoft Teams impersonation, then pushed victims to a fake Microsoft mailbox-repair flow that harvested credentials and staged malware from attacker-controlled AWS S3 buckets.

The durable lesson is that helpdesk-themed collaboration messages can move quickly from credential theft into endpoint footholds, browser-extension persistence, tunneling, local command execution, LSASS dumping, and targeted data access.

Tags

• ops
• UNC6692
• social engineering
• Microsoft Teams
• browser extension
• AutoHotKey
• AWS S3
• credential theft
• LSASS
• malware
• espionage

Reported chain

Initial access and lure

• Mandiant says the actor first abused the victim's mailbox by adding a rule that copied every inbound email to the inbox, creating disruptive message volume.
• The actor then contacted the victim over Microsoft Teams while posing as helpdesk personnel and offering to fix the spam problem.
• The victim was directed to a fake Microsoft-themed repair page, with examples using attacker-controlled AWS S3 bucket hostnames such as service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com.
• The landing page enforced target conditions, including a required email URL parameter and Microsoft Edge browser flow, before presenting mailbox-repair buttons and fake progress messages.

Malware staging

• The page could download a renamed AutoHotKey binary plus a same-named AutoHotKey script. AutoHotKey automatically runs a matching script in the current directory.
• Mandiant was not able to recover the initial AutoHotKey script, but observed execution followed by reconnaissance and installation of SNOWBELT.
• Credential-entry flows on the fake repair page exfiltrated submitted credentials and metadata to attacker-controlled S3 infrastructure while progress-bar text distracted the victim.

SNOW malware ecosystem

• SNOWBELT is a JavaScript backdoor implemented as a Chromium browser extension. It was not distributed through the Chrome Web Store and used names such as MS Heartbeat or System Heartbeat.
• SNOWBELT maintained browser-extension persistence with service-worker alarms and keep-alive tab injection, then relayed actor commands to the local malware stack.
• SNOWGLAZE is a Python tunneler used to bridge actor traffic into the victim environment.
• SNOWBASIN is a Python local HTTP bindshell, commonly listening on port 8000, that can run cmd.exe or PowerShell commands, capture screenshots, and stage data for exfiltration.

Follow-on activity

• Mandiant observed internal port scanning against ports 135, 445, and 3389.
• The actor used the SNOWGLAZE tunnel to establish Sysinternals PsExec access and enumerate local administrator accounts.
• After reaching a backup server through RDP, the actor dumped LSASS memory with Windows Task Manager and exfiltrated it via LimeWire for offline credential extraction.

Defender heuristics

Identity and collaboration telemetry

• Investigate mailbox-rule changes that duplicate or flood inbound messages, especially when followed by Teams helpdesk contact.
• Alert on external or unusual Teams messages that direct users to mailbox repair, spam-filter update, or local-patch installation pages.
• Treat Microsoft-themed S3 static-site URLs, especially hostnames containing outlook / service-page patterns, as suspicious unless explicitly owned by the organization.

Endpoint and browser controls

• Hunt for renamed AutoHotKey binaries paired with same-named scripts in user download or temp paths.
• Inventory Chromium extensions installed outside approved stores, especially names resembling MS Heartbeat or System Heartbeat.
• Monitor extension persistence behaviors such as unexpected service-worker alarms and keep-alive tabs in managed browser telemetry where available.
• Alert on local HTTP listeners around port 8000 launched by Python from user-writable paths.

Lateral movement and credential defense

• Correlate browser-extension or AutoHotKey execution with internal scans of 135, 445, and 3389.
• Investigate PsExec sessions that traverse tunnels or originate from unusual user endpoints.
• Alert on LSASS dumps through GUI tools such as Task Manager, not only classic command-line dumping utilities.
• Treat backup servers as high-value targets after helpdesk-themed social engineering: review RDP, local admin use, and credential material exposure.

Attribution notes

• Mandiant attributes the SNOW malware ecosystem to UNC6692.
• This page tracks the operation and tooling behavior. A separate group profile was not added yet because the current public wiki value is the intrusion chain and defender heuristics rather than a multi-source actor history.

Related pages

• BlackFile / UNC6671 vishing extortion operation
• Browser-based developer IDE OAuth token theft
• AI-augmented adversary operations

Sources

• Google Cloud / Mandiant: https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware