Google Threat Intelligence Group (GTIG) and Mandiant have published research on UNC6692, a previously undocumented threat group pairing email-bombing campaigns with Teams helpdesk impersonation to deploy a custom modular malware suite called SNOW.
The campaign was first observed in late December 2025 and ended with theft of an Active Directory database from the targeted organization.
UNC6692’s incursion begins with flooding a target’s inbox with non-malicious bulk emails, then contacts the same victim over Teams from an external account, posing as IT support offering to fix the spam issue.
That tactic resembles techniques used by former Black Basta affiliates since at least 2024. The approach is reportedly spreading. ReliaQuest researchers John Dilgen and Alexa Feminella recently reported that 77% of helpdesk-impersonation incidents observed from March 1 to April 1, 2026, targeted senior-level employees, up from 59% earlier in the year.
UNC6692 diverges at the next step, however. Rather than steering victims toward Quick Assist or AnyDesk, the group sends them to a phishing page disguised as a “Mailbox Repair and Sync Utility.”
A gatekeeper script forces the user into Microsoft Edge, then serves an AutoHotkey binary from an attacker-controlled AWS S3 bucket.
Inside the Three-Part SNOW Suite
The binary installs SNOWBELT, a Chromium extension loaded into a headless Edge process and disguised under names like “MS Heartbeat.”
SNOWBELT pulls in SNOWGLAZE, a Python WebSocket tunneler used to route traffic through a Heroku command-and-control (C2) host, and SNOWBASIN, a Python HTTP backdoor that runs commands and captures the screen on the local machine.
From that foothold, UNC6692 ran internal port scanning, opened a PsExec session, and pivoted via RDP to a backup server. Operators dumped Local Security Authority Subsystem Service (LSASS) memory and exfiltrated it via LimeWire, used Pass-the-Hash to reach domain controllers, and pulled NTDS.dit and registry hives via FTK Imager.
Google and Mandiant warned that the campaign’s use of trusted cloud platforms allows malicious components to blend into legitimate cloud traffic, weakening reputation-based filtering.
Google and Mandiant wrote in their analysis that defenders need visibility beyond process monitoring, including into browser behavior and unsanctioned cloud traffic. They also need to tie together activity from browsers, local Python tooling, plus cloud egress points.
