UNC6692 leverages Teams impersonations to deploy Snow malware for credential theft and domain takeover
Researchers say the threat group UNC6692 uses email bombing to pressure targets and then contacts them via Microsoft Teams, posing as IT helpdesk to induce installation of a patched patch that drops Snow, a custom malware suite (SnowBelt browser extension, SnowGlaze tunneler, SnowBasin backdoor). SnowBelt provides persistence and relays commands to SnowBasin through a headless Edge session, with SnowGlaze establishing a WebSocket tunnel and SOCKS proxy for C2 communication. SnowBasin can execute attacker commands, perform remote shell access, and exfiltrate data, while LSASS memory dumps and pass-the-hash techniques enable internal reconnaissance and lateral movement to domain controllers; the attackers even exfiltrate Active Directory data using FTK Imager via LimeWire. The report includes IoCs and YARA rules to detect Snow.