Google-owned Mandiant has published new research exposing a previously undocumented threat group called UNC6692, which is carrying out sophisticated social engineering attacks through Microsoft Teams to deploy a custom-built malware suite against corporate targets.
The Attack Begins With an Email Flood
The operation starts by overwhelming the victim’s inbox with a massive wave of spam emails, creating a sense of panic and urgency. Shortly after, the attacker reaches out to the same victim over Microsoft Teams, impersonating an IT helpdesk employee from outside the organization and offering to resolve the email issue. The victim is then manipulated into clicking a phishing link shared via the Teams chat disguised as a “Mailbox Repair and Sync Utility v2.1.5”, which triggers the download of a malicious AutoHotkey script from an attacker-controlled Amazon S3 bucket.
This tactic of combining inbox flooding with Teams-based helpdesk impersonation has been a hallmark of former Black Basta ransomware affiliates, and despite that group shutting down its operations, the playbook remains very much in active use.
Who Is Being Targeted?
According to separate research from ReliaQuest, the campaign is heavily focused on senior-level employees. Between March and April 2026, 77% of observed incidents targeted executives or senior staff — up from 59% in the first two months of the year. In some cases, follow-up chat messages were sent just 29 seconds after the initial contact, suggesting a degree of automation in the targeting process.
The SNOW Malware Ecosystem
Once the victim interacts with the phishing link, an AutoHotkey script performs initial reconnaissance and then installs SNOWBELT a malicious browser extension for Microsoft Edge by launching the browser in headless mode with a special command-line flag. The phishing page also includes a fake “Health Check” button that prompts the victim to enter their email credentials, which are silently harvested and sent to another attacker-controlled S3 bucket.
The full SNOW toolkit consists of three interconnected components working together. SNOWBELT is a JavaScript-based backdoor that receives commands from the attacker and passes them along for execution. SNOWGLAZE is a Python-based tunneling tool that establishes a secure, authenticated WebSocket connection between the victim’s internal network and the attacker’s command-and-control server. SNOWBASIN functions as a persistent backdoor running as a local HTTP server, capable of executing remote commands, capturing screenshots, and uploading or downloading files.
Post-Compromise Activity
After gaining initial access, UNC6692 moves quickly through the compromised environment. The group scans the local network for open ports to facilitate lateral movement, uses PsExec and RDP sessions tunneled through SNOWGLAZE to reach other systems, dumps LSASS process memory to extract credentials, and employs the Pass-The-Hash technique to gain access to domain controllers. In the final stage, the attackers used a forensic imaging tool to extract the Active Directory database file and exfiltrate it using a file upload utility.
A Notable Abuse of Trusted Cloud Infrastructure
A key element of UNC6692’s approach is routing both payload delivery and data exfiltration through trusted cloud services like Amazon S3. By leveraging legitimate platforms, the attackers can blend into normal cloud traffic and bypass traditional reputation-based network filters, making detection significantly harder.
Separately, Cato Networks also documented a related campaign using similar helpdesk impersonation over Microsoft Teams voice calls to deploy a WebSocket-based trojan called PhantomBackdoor via obfuscated PowerShell commands.
Security teams are advised to enforce helpdesk verification workflows, restrict external Teams communications and screen-sharing permissions, and apply tighter controls around PowerShell execution.