CelereTech

The SNOW Malware Suite: How UNC6692 Is Exploiting Microsoft Teams to Attack Businesses in 2026

CelereTech Team·

Active threat, April 2026: Google’s Threat Intelligence Group (GTIG) and Mandiant confirmed this campaign is live and ongoing. First observed in December 2025, it has been documented targeting businesses across manufacturing, professional services, finance, and healthcare. 77% of recent victims were senior employees and executives.

Executive Summary

In April 2026, Google’s Threat Intelligence Group (GTIG) and Mandiant published research on one of the most sophisticated — and practically dangerous — cyberattack campaigns targeting businesses today. A previously unknown threat group, designated UNC6692, has been deploying a custom, modular malware framework called the SNOW suite against business targets worldwide using Microsoft Teams as the primary attack vector.

The SNOW suite consists of three purpose-built components: SNOWBELT (a malicious browser extension), SNOWGLAZE (a Python-based network tunneler), and SNOWBASIN (a Python-based remote access backdoor). Together, they give attackers persistent, covert access to corporate networks, including the ability to dump Active Directory credentials, move laterally across systems, and exfiltrate sensitive data through attacker-controlled cloud infrastructure.

What makes this campaign uniquely dangerous isn’t its technical sophistication alone — it’s the deliberate exploitation of trust, specifically the trust employees place in Microsoft Teams and IT helpdesk support personnel. The attack requires no software vulnerability, no zero-day exploit, and no stolen password to initiate. It requires only a convinced employee.

What Is UNC6692?

UNC6692 is a newly tracked threat actor, first identified by Mandiant in late December 2025 when the campaign was observed in active operation. The group’s geographic origin and ultimate attribution haven’t been publicly confirmed, though the sophistication of both the tooling and the social engineering tradecraft suggests a well-resourced, organized operation. The campaign has drawn comparisons to techniques previously associated with former Black Basta ransomware affiliates, though UNC6692’s specific payload delivery mechanism represents a novel evolution of those tactics.

The SNOW Malware Suite: A Component-by-Component Breakdown

Mandiant describes the SNOW components as forming “a coordinated pipeline that facilitates an attacker’s journey from initial browser-based access to the internal network of the organization.”

SNOWBELT — the browser extension backdoor (initial foothold)

SNOWBELT is a malicious Chromium browser extension — the first component installed on the victim’s machine. It’s delivered not through the Chrome Web Store, but silently via a dropper executed from the phishing page, installing itself under benign-sounding names such as “MS Heartbeat” or “System Heartbeat” to avoid detection.

Technically, SNOWBELT is a JavaScript-based Service Worker that:

SNOWGLAZE — the Python network tunneler (covert communications)

SNOWGLAZE is a cross-platform Python-based tunneling utility downloaded by SNOWBELT after initial access. It creates an encrypted, authenticated communication channel to the attacker’s C2 infrastructure, including:

The use of Heroku subdomains and AWS S3 buckets as C2 relay points is deliberate: traffic to these widely-used cloud platforms is rarely blocked or flagged in corporate network environments.

SNOWBASIN — the Python backdoor shell (persistent remote access)

SNOWBASIN is a Python-based bindshell running a local HTTP server on port 8000, accepting attacker commands relayed through the SNOWBELT/SNOWGLAZE pipeline. It enables execution of arbitrary PowerShell and cmd.exe commands, interactive remote shell access, screenshot capture and file staging for exfiltration, file download/upload, and a self-termination command to reduce forensic traces on demand.

The Complete UNC6692 Attack Chain

  1. Email bombing — A coordinated flood of subscription confirmations, forum registrations, and spam hits the target’s inbox within minutes. The goal isn’t infection via email — it’s psychological disruption, leaving the victim overwhelmed and urgently seeking help.
  2. Microsoft Teams impersonation — Almost simultaneously, the victim receives a Teams chat message from an external account impersonating IT helpdesk, referencing the email chaos and offering immediate assistance.
  3. Credential harvesting via fake repair tool — The “helpdesk agent” directs the victim to a fake “Mailbox Repair and Sync Utility” hosted on attacker-controlled AWS S3 buckets, using a “double-entry” credential capture mechanism and a convincing animated progress bar.
  4. AutoHotKey payload execution and SNOWBELT installation — While the victim watches the progress bar, the page silently downloads an AutoHotKey binary and script that launches a headless Microsoft Edge process with SNOWBELT loaded, invisible to the user.
  5. SNOWGLAZE and SNOWBASIN deployment — SNOWBELT downloads the remaining SNOW suite components, giving the attacker covert, persistent, encrypted access.
  6. Internal reconnaissance and lateral movement — A Python script scans the internal network for open ports 135, 445, and 3389; PsExec executes processes on remote hosts; RDP sessions reach backup servers and domain controllers.
  7. Credential dumping and Active Directory compromise — LSASS process memory is dumped to extract NTLM hashes for Pass-the-Hash attacks, and FTK Imager (a legitimate forensic tool) is used to extract the Active Directory database (ntds.dit) and SAM/SYSTEM/SECURITY registry hives.
  8. Data exfiltration — Harvested credentials and AD database files are exfiltrated through LimeWire and attacker-controlled AWS S3 buckets.

MITRE ATT&CK Techniques Observed

Tactic Technique ID Technique Name
Initial Access T1566.003 Phishing: Spearphishing via Service (Microsoft Teams)
Execution T1204.001 User Execution: Malicious Link
Execution T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT
Execution T1059.001 Command and Scripting Interpreter: PowerShell
Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell
Execution T1059.006 Command and Scripting Interpreter: Python
Execution T1176.001 Browser Extensions
Persistence T1053.005 Scheduled Task/Job: Scheduled Task
Persistence T1547.009 Boot or Logon Autostart Execution: Shortcut Modification
Command & Control T1572 Protocol Tunneling (SNOWGLAZE WebSocket tunnel)
Command & Control T1090 Proxy: SOCKS Proxy (SNOWGLAZE pivot capability)
Credential Access T1003.001 OS Credential Dumping: LSASS Memory
Credential Access T1003.002 OS Credential Dumping: Security Account Manager
Credential Access T1003.003 OS Credential Dumping: NTDS
Lateral Movement T1550.002 Use Alternate Authentication Material: Pass-the-Hash
Lateral Movement T1021.001 Remote Services: Remote Desktop Protocol
Lateral Movement T1021.002 Remote Services: SMB/Windows Admin Shares (PsExec)

Why Small and Mid-Sized Businesses Are Particularly at Risk

Indicators of Compromise to Monitor For

Behavioral IOCs:

How to Protect Your Organization

  1. Restrict Microsoft Teams external access (highest priority) — In the Teams Admin Center, go to Users > External Access and block all external domains by default, allowlisting only trusted partner domains. Ensure external messages are clearly flagged with warning banners.
  2. Deploy Endpoint Detection & Response (EDR) — Behavioral detection catches AutoHotKey execution, headless Edge processes loaded with extensions via command-line flags, and unexpected Python activity.
  3. Implement browser extension allowlisting — Configure Intune/Endpoint Manager to allow only approved extensions, and alert on any attempted install outside that list.
  4. Monitor and restrict AWS S3 and Heroku traffic — If your organization doesn’t use these platforms, block or alert on outbound connections to them.
  5. Conduct targeted security awareness training — Specifically cover the email-bombing-plus-Teams-impersonation sequence, and the rule that legitimate IT staff never ask employees to click external links or install tools via Teams.
  6. Harden privileged access and credential protections — Enable MFA everywhere, restrict LSASS access via Credential Guard and Attack Surface Reduction rules, and disable PsExec unless required.
  7. Implement 24/7 managed detection and response — These behavioral indicators are detectable, but only with continuous monitoring and expert human review.

Frequently Asked Questions

What is SNOW malware? A custom, modular cyberattack toolkit developed by UNC6692 and documented by Mandiant in April 2026, consisting of SNOWBELT (browser extension), SNOWGLAZE (network tunneler), and SNOWBASIN (remote access backdoor).

How does UNC6692 attack through Microsoft Teams? By combining email bombing to create urgency with an external Teams account impersonating IT helpdesk, directing the victim to a fake mailbox repair tool that silently installs the SNOW suite — exploiting Teams’ default external access settings.

Can Microsoft Teams deliver malware? Yes. Teams supports external communication by default, letting threat actors outside your organization message your employees and deliver phishing links that bypass traditional email security filters.

Is the UNC6692 SNOW malware attack still active? As of May 2026, yes — Mandiant published initial findings on April 23, 2026 after observing the campaign since December 2025, and multiple independent security firms have confirmed ongoing activity.

The Door Is Open. You Can Close It.

The SNOW malware suite is technically sophisticated and specifically designed to exploit the trust employees place in Microsoft Teams and IT support personnel. But it’s also defendable — Teams external access restriction, behavioral EDR, extension allowlisting, targeted training, and 24/7 monitoring aren’t exotic or expensive. They’re the foundation of a modern, managed security posture.

CelereTech provides all-inclusive managed IT and cybersecurity services for small and mid-sized businesses. Contact us for a Microsoft 365 and Teams Security Assessment.

This article references public threat research published by Google Cloud / Mandiant, SecurityWeek, Dark Reading, The Hacker News, HivePro, SC Media, SOC Prime, eSentire, Microsoft Security, and Field Effect. Consult your security team before making changes based on the technical guidance above.

Microsoft TeamsMalwareUNC6692Threat Intelligence

Related Articles

Have a Question About Your IT Environment?

Get a free assessment and see exactly where CelereTech can help.