216.73.216.215

Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

· Published 23/04/2026 19:25 · Modified 27/04/2026 14:43

Export JSON

Essential information

Published
23/04/2026 19:25
Modified
27/04/2026 14:43
Tags
2026-04-23 brickstorm browser extension cloud infrastructure abuse microsoft teams phishing snowbasin snowbelt snowglaze social engineering
Related entities
7 observables, 1 intrusion sets (apt), 20 techniques (mitre), 4 malware, 3 others

Description

Google Threat Intelligence Group identified a sophisticated intrusion campaign by UNC6692 that combined persistent with custom malware. The attackers impersonated IT helpdesk personnel via Microsoft Teams, leveraging initial email spam campaigns to create urgency. Victims were tricked into downloading AutoHotKey scripts that installed , a malicious establishing persistence through scheduled tasks. The modular SNOW ecosystem enabled deep network penetration: provided initial access, created encrypted WebSocket tunnels masking traffic as legitimate cloud communications, and functioned as a local backdoor for command execution. UNC6692 performed internal reconnaissance, escalated privileges by extracting LSASS memory, and used Pass-The-Hash techniques to access domain controllers. The operation culminated in exfiltration of Active Directory databases and credentials via LimeWire, demonstrating advanced tradecraft abusing legitimate clou...

External references