Teams Tactics Drive UNC6692’s Modular SNOW Malware Campaign
Security researchers describe UNC6692’s two-stage assault: a flood of spam to overwhelm inboxes followed by impersonating IT staff via Microsoft Teams to coax victims into installing a patch that drops the SNOWBELT/SNOWGLAZE/SNOWBASIN malware suite for remote access, lateral movement, and data exfiltration, leveraging cloud services for C2 and payload delivery. The campaign targets executives and uses WebSocket tunnels and backdoors to expand access, with defenders urged to harden collaboration tools and enforce verified help-desk procedures.