A previously undocumented threat group known as UNC6692 has been observed using social engineering tactics through Microsoft Teams to deploy a custom malware suite on compromised systems, according to Google-owned Mandiant.
Email Bombing Followed by Fake IT Support
UNC6692 relies heavily on impersonating IT helpdesk employees to trick victims into accepting Microsoft Teams chat invitations from accounts outside their organization. The attack chain begins with a large email campaign designed to overwhelm a target’s inbox with spam emails, creating a false sense of urgency.
The threat actor then approaches the target over Microsoft Teams by sending a message claiming to be from the IT support team to offer assistance with the email bombing problem. This combination of email flooding followed by Microsoft Teams-based help desk impersonation has been a tactic long used by former Black Basta affiliates, despite the ransomware group shutting down operations early last year.
Executives Targeted With Increasing Frequency
ReliaQuest revealed last week that this approach targets executives and senior-level employees for initial access into corporate networks for potential data theft, lateral movement, ransomware deployment and extortion. From March 1 to April 1, 2026, 77% of observed incidents targeted senior-level employees, up from 59% in the first two months of 2026. In some cases, chats were initiated just 29 seconds apart.
The goal of the conversation is to trick victims into installing legitimate remote monitoring and management tools like Quick Assist or Supremo Remote Desktop to enable hands-on access, then weaponize it to drop additional payloads. ReliaQuest researchers John Dilgen and Alexa Feminella noted that this activity demonstrates a threat group’s most effective tactics can long outlive the group itself.
SNOW Malware Distribution via Phishing
The attack chain described by Mandiant deviates from the standard approach. The victim is instructed to click on a phishing link shared via Teams chat to install a local patch to remediate the spam issue. Once clicked, it leads to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket. The phishing page is named Mailbox Repair and Sync Utility v2.1.5.
The script performs initial reconnaissance and then installs SNOWBELT, a malicious Chromium-based browser extension, on the Edge browser by launching it in headless mode along with the load-extension command line switch. Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelley and Muhammad Umair explained that the attacker used a gatekeeper script designed to ensure the payload is delivered only to intended targets while evading automated security sandboxes.
The phishing page also serves a Configuration Management Panel with a prominent Health Check button that, when clicked, prompts users to enter their mailbox credentials for ostensibly authentication purposes, but in reality is used to harvest and exfiltrate data to another Amazon S3 bucket.
The SNOW Malware Ecosystem
The SNOW malware ecosystem is a modular toolkit that works together to facilitate attacker goals. SNOWBELT is a JavaScript-based backdoor that receives commands and relays them to SNOWBASIN for execution. SNOWGLAZE is a Python-based tunneler to create a secure, authenticated WebSocket tunnel between the victim’s internal network and the attacker’s command-and-control server.
SNOWBASIN operates as a persistent backdoor to enable remote command execution via cmd.exe or powershell.exe, screenshot capture, file upload and download, and self-termination. It runs as a local HTTP server on ports 8000, 8001 or 8002.
Post-exploitation actions carried out by UNC6692 include using a Python script to scan the local network for ports 135, 445 and 3389 for lateral movement, establishing PsExec sessions via the SNOWGLAZE tunneling utility, utilizing local administrator accounts to extract LSASS process memory for privilege escalation, using Pass-The-Hash technique to move laterally to domain controllers, downloading FTK Imager to capture Active Directory database files, and exfiltrating data using the LimeWire file upload tool.
Voice Phishing Campaign Also Active
Experts also detailed a voice phishing-based campaign that leverages similar help desk impersonation on Microsoft Teams to guide victims into executing a WebSocket-based trojan dubbed PhantomBackdoor via an obfuscated PowerShell script retrieved from an external server.
Experts also explained that this incident shows how help desk impersonation delivered through Microsoft Teams meetings can replace traditional phishing while leading to the same outcome.
Defenders should treat collaboration tools as first-class attack surfaces by enforcing help desk verification workflows, tightening external Teams and screen-sharing controls, and hardening PowerShell.
