Active threat, April 2026: Google’s Threat Intelligence Group (GTIG) and Mandiant confirmed this campaign is live and ongoing. First observed in December 2025, it has been documented targeting businesses across manufacturing, professional services, finance, and healthcare. 77% of recent victims were senior employees and executives.
Executive Summary
In April 2026, Google’s Threat Intelligence Group (GTIG) and Mandiant published research on one of the most sophisticated — and practically dangerous — cyberattack campaigns targeting businesses today. A previously unknown threat group, designated UNC6692, has been deploying a custom, modular malware framework called the SNOW suite against business targets worldwide using Microsoft Teams as the primary attack vector.
The SNOW suite consists of three purpose-built components: SNOWBELT (a malicious browser extension), SNOWGLAZE (a Python-based network tunneler), and SNOWBASIN (a Python-based remote access backdoor). Together, they give attackers persistent, covert access to corporate networks, including the ability to dump Active Directory credentials, move laterally across systems, and exfiltrate sensitive data through attacker-controlled cloud infrastructure.
What makes this campaign uniquely dangerous isn’t its technical sophistication alone — it’s the deliberate exploitation of trust, specifically the trust employees place in Microsoft Teams and IT helpdesk support personnel. The attack requires no software vulnerability, no zero-day exploit, and no stolen password to initiate. It requires only a convinced employee.
What Is UNC6692?
UNC6692 is a newly tracked threat actor, first identified by Mandiant in late December 2025 when the campaign was observed in active operation. The group’s geographic origin and ultimate attribution haven’t been publicly confirmed, though the sophistication of both the tooling and the social engineering tradecraft suggests a well-resourced, organized operation. The campaign has drawn comparisons to techniques previously associated with former Black Basta ransomware affiliates, though UNC6692’s specific payload delivery mechanism represents a novel evolution of those tactics.
The SNOW Malware Suite: A Component-by-Component Breakdown
Mandiant describes the SNOW components as forming “a coordinated pipeline that facilitates an attacker’s journey from initial browser-based access to the internal network of the organization.”
SNOWBELT — the browser extension backdoor (initial foothold)
SNOWBELT is a malicious Chromium browser extension — the first component installed on the victim’s machine. It’s delivered not through the Chrome Web Store, but silently via a dropper executed from the phishing page, installing itself under benign-sounding names such as “MS Heartbeat” or “System Heartbeat” to avoid detection.
Technically, SNOWBELT is a JavaScript-based Service Worker that:
- Communicates with attacker C2 infrastructure using an authenticated WebSocket
- Receives encrypted commands via browser Push notifications, letting the attacker “wake up” the extension asynchronously
- Relays decrypted commands to SNOWBASIN via HTTP POST requests to a local server on port 8000
- Uses AES-GCM encryption and time-based domain generation algorithms for covert communications
- Runs in a headless Microsoft Edge instance, launched by a scheduled task and Windows Startup shortcut for persistence
SNOWGLAZE — the Python network tunneler (covert communications)
SNOWGLAZE is a cross-platform Python-based tunneling utility downloaded by SNOWBELT after initial access. It creates an encrypted, authenticated communication channel to the attacker’s C2 infrastructure, including:
- A WebSocket Secure (WSS) tunnel to a Heroku-hosted C2 server
- JSON traffic with Base64 encoding to blend with normal encrypted HTTPS web traffic
- SOCKS proxy services, turning the compromised machine into a network pivot point
- Arbitrary TCP traffic routed through the victim’s machine to appear as legitimate internal traffic
The use of Heroku subdomains and AWS S3 buckets as C2 relay points is deliberate: traffic to these widely-used cloud platforms is rarely blocked or flagged in corporate network environments.
SNOWBASIN — the Python backdoor shell (persistent remote access)
SNOWBASIN is a Python-based bindshell running a local HTTP server on port 8000, accepting attacker commands relayed through the SNOWBELT/SNOWGLAZE pipeline. It enables execution of arbitrary PowerShell and cmd.exe commands, interactive remote shell access, screenshot capture and file staging for exfiltration, file download/upload, and a self-termination command to reduce forensic traces on demand.
The Complete UNC6692 Attack Chain
- Email bombing — A coordinated flood of subscription confirmations, forum registrations, and spam hits the target’s inbox within minutes. The goal isn’t infection via email — it’s psychological disruption, leaving the victim overwhelmed and urgently seeking help.
- Microsoft Teams impersonation — Almost simultaneously, the victim receives a Teams chat message from an external account impersonating IT helpdesk, referencing the email chaos and offering immediate assistance.
- Credential harvesting via fake repair tool — The “helpdesk agent” directs the victim to a fake “Mailbox Repair and Sync Utility” hosted on attacker-controlled AWS S3 buckets, using a “double-entry” credential capture mechanism and a convincing animated progress bar.
- AutoHotKey payload execution and SNOWBELT installation — While the victim watches the progress bar, the page silently downloads an AutoHotKey binary and script that launches a headless Microsoft Edge process with SNOWBELT loaded, invisible to the user.
- SNOWGLAZE and SNOWBASIN deployment — SNOWBELT downloads the remaining SNOW suite components, giving the attacker covert, persistent, encrypted access.
- Internal reconnaissance and lateral movement — A Python script scans the internal network for open ports 135, 445, and 3389; PsExec executes processes on remote hosts; RDP sessions reach backup servers and domain controllers.
- Credential dumping and Active Directory compromise — LSASS process memory is dumped to extract NTLM hashes for Pass-the-Hash attacks, and FTK Imager (a legitimate forensic tool) is used to extract the Active Directory database (
ntds.dit) and SAM/SYSTEM/SECURITY registry hives. - Data exfiltration — Harvested credentials and AD database files are exfiltrated through LimeWire and attacker-controlled AWS S3 buckets.
MITRE ATT&CK Techniques Observed
| Tactic | Technique ID | Technique Name |
|---|---|---|
| Initial Access | T1566.003 | Phishing: Spearphishing via Service (Microsoft Teams) |
| Execution | T1204.001 | User Execution: Malicious Link |
| Execution | T1059.010 | Command and Scripting Interpreter: AutoHotKey & AutoIT |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| Execution | T1059.006 | Command and Scripting Interpreter: Python |
| Execution | T1176.001 | Browser Extensions |
| Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Persistence | T1547.009 | Boot or Logon Autostart Execution: Shortcut Modification |
| Command & Control | T1572 | Protocol Tunneling (SNOWGLAZE WebSocket tunnel) |
| Command & Control | T1090 | Proxy: SOCKS Proxy (SNOWGLAZE pivot capability) |
| Credential Access | T1003.001 | OS Credential Dumping: LSASS Memory |
| Credential Access | T1003.002 | OS Credential Dumping: Security Account Manager |
| Credential Access | T1003.003 | OS Credential Dumping: NTDS |
| Lateral Movement | T1550.002 | Use Alternate Authentication Material: Pass-the-Hash |
| Lateral Movement | T1021.001 | Remote Services: Remote Desktop Protocol |
| Lateral Movement | T1021.002 | Remote Services: SMB/Windows Admin Shares (PsExec) |
Why Small and Mid-Sized Businesses Are Particularly at Risk
- Default Microsoft Teams external access — Most SMBs deploy Microsoft 365 with default settings that allow anyone outside the organization to message employees.
- Security awareness training gaps — Most SMB training focuses on email phishing, not Teams-based helpdesk impersonation.
- High-value data with limited defenses — Law firms, accounting practices, financial advisors, and healthcare organizations hold extraordinarily sensitive data with security postures far below enterprise organizations facing the same threat actors.
- No dedicated security monitoring — Without 24/7 SOC or MDR coverage, behavioral indicators like headless Edge processes and Python tunneling go undetected.
- Trust in outsourced IT — Employees at businesses with an outsourced MSP often don’t know their real provider’s contact procedures, making impersonation easier.
Indicators of Compromise to Monitor For
Behavioral IOCs:
- Sudden high-volume email delivery to a single inbox (email bombing)
- Teams chat messages from external accounts offering unsolicited IT assistance
- AutoHotKey (AHK) process execution on business workstations
- Microsoft Edge launched with
-headlessand-load-extensionflags via scheduled task - Unexpected browser extension installs, especially named “MS Heartbeat” or “System Heartbeat”
- Python interpreter execution on non-developer workstations
- Outbound WebSocket connections to
*.herokuapp.com - Outbound connections to AWS S3 buckets from workstations that don’t normally use AWS
- LSASS process memory access, PsExec execution, or port 8000 local HTTP server activity
- Network scanning for ports 135, 445, and 3389 from internal workstations
- FTK Imager execution on domain controllers, particularly from a Downloads folder
How to Protect Your Organization
- Restrict Microsoft Teams external access (highest priority) — In the Teams Admin Center, go to Users > External Access and block all external domains by default, allowlisting only trusted partner domains. Ensure external messages are clearly flagged with warning banners.
- Deploy Endpoint Detection & Response (EDR) — Behavioral detection catches AutoHotKey execution, headless Edge processes loaded with extensions via command-line flags, and unexpected Python activity.
- Implement browser extension allowlisting — Configure Intune/Endpoint Manager to allow only approved extensions, and alert on any attempted install outside that list.
- Monitor and restrict AWS S3 and Heroku traffic — If your organization doesn’t use these platforms, block or alert on outbound connections to them.
- Conduct targeted security awareness training — Specifically cover the email-bombing-plus-Teams-impersonation sequence, and the rule that legitimate IT staff never ask employees to click external links or install tools via Teams.
- Harden privileged access and credential protections — Enable MFA everywhere, restrict LSASS access via Credential Guard and Attack Surface Reduction rules, and disable PsExec unless required.
- Implement 24/7 managed detection and response — These behavioral indicators are detectable, but only with continuous monitoring and expert human review.
Frequently Asked Questions
What is SNOW malware? A custom, modular cyberattack toolkit developed by UNC6692 and documented by Mandiant in April 2026, consisting of SNOWBELT (browser extension), SNOWGLAZE (network tunneler), and SNOWBASIN (remote access backdoor).
How does UNC6692 attack through Microsoft Teams? By combining email bombing to create urgency with an external Teams account impersonating IT helpdesk, directing the victim to a fake mailbox repair tool that silently installs the SNOW suite — exploiting Teams’ default external access settings.
Can Microsoft Teams deliver malware? Yes. Teams supports external communication by default, letting threat actors outside your organization message your employees and deliver phishing links that bypass traditional email security filters.
Is the UNC6692 SNOW malware attack still active? As of May 2026, yes — Mandiant published initial findings on April 23, 2026 after observing the campaign since December 2025, and multiple independent security firms have confirmed ongoing activity.
The Door Is Open. You Can Close It.
The SNOW malware suite is technically sophisticated and specifically designed to exploit the trust employees place in Microsoft Teams and IT support personnel. But it’s also defendable — Teams external access restriction, behavioral EDR, extension allowlisting, targeted training, and 24/7 monitoring aren’t exotic or expensive. They’re the foundation of a modern, managed security posture.
CelereTech provides all-inclusive managed IT and cybersecurity services for small and mid-sized businesses. Contact us for a Microsoft 365 and Teams Security Assessment.
This article references public threat research published by Google Cloud / Mandiant, SecurityWeek, Dark Reading, The Hacker News, HivePro, SC Media, SOC Prime, eSentire, Microsoft Security, and Field Effect. Consult your security team before making changes based on the technical guidance above.