UNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ Malware

Summary

Google Threat Intelligence Group disclosed a campaign by threat actor UNC6692 that uses email bombing combined with Microsoft Teams impersonation of IT support to trick victims into executing malicious code. The attack deploys a modular malware framework called Snow (comprising Snowbelt, Snowglaze, and Snowbasin components) that establishes persistent browser-based access, enables lateral movement via RDP and Pass-The-Hash attacks, and exfiltrates credentials and Active Directory data. The campaign demonstrates modern attack chains blending social engineering with technical evasion, leveraging trusted cloud platforms to bypass network defenses.

Full text

A recently discovered threat actor has been observed bombarding victims with emails and impersonating IT support to convince them to execute malicious code, Google Threat Intelligence Group (GTIG) reports. In December 2025, the threat actor, tracked as UNC6692, was seen overwhelming the target with email messages and then contacting the victim via Microsoft Teams, posing as an IT helpdesk employee. Pretending to provide assistance with the large volume of incoming emails, the attackers tricked the victim into clicking on a URL leading to a phishing page offering a fake mailbox repair utility. The page checked for an email parameter in the link, checked that the victim’s browser was Microsoft Edge, and presented a panel posing as the repair utility. When the user clicked a ‘health check’ button on the page, they were shown a fake authentication box meant to harvest and validate the victim’s credentials. A fake progress bar was also displayed to avoid suspicion. In the background, a script on the page downloaded an AutoHotKey binary and an AutoHotKey script to the system. Upon execution, the payloads infected the system with a JavaScript-based backdoor dubbed Snowbelt, which was deployed as a Chromium browser extension.Advertisement. Scroll to continue reading. To establish persistence for the extension, the code added a shortcut to an AutoHotKey script to the Windows startup and created two scheduled tasks to open a windowless Edge process and load Snowbelt, and to kill headless Edge processes. Next, the attackers used the malicious extension to download additional payloads, including AutoHotkey scripts, a ZIP archive, the Snowglaze tunnel, and the Snowbasin malware, from an attacker-controlled AWS S3 bucket. Reconnaissance, lateral movement, and credential harvesting UNC6692 used Snowglaze to establish a Sysinternals PsExec session to the system and enumerate administrator accounts. Using one of these accounts, it then initiated a Remote Desktop Protocol (RDP) session to a backup server, via the Snowglaze tunnel. “Though not directly observed, the threat actor may have acquired the local administrator accounts credentials via multiple attack paths such as authenticated Server Message Block (SMB) share enumeration,” GTIG notes. The threat actor then dumped the LSASS process memory from the backup server and exfiltrated it via LimeWire to extract usernames, passwords, and user account hashes from it. Next, UNC6692 used Pass-The-Hash to access the network’s domain controller, downloaded FTK Imager to it, used the tool to mount the local storage drive and write the Active Directory database file, Security Account Manager (SAM), System, and Security registry hives to the \Downloads folder, and used LimeWire to exfiltrate the data. The Snow malware The three main components of the modular ‘Snow’ malware framework used in the attack, Snowbelt, Snowglaze, and Snowbasin, “form a coordinated pipeline that facilitates an attacker’s journey from initial browser-based access to the internal network of the organization,” GTIG says. Snowbelt intercepts commands and delivers them to Snowbasin for execution, and provides authenticated access to the environment, enabling lateral movement and privilege escalation. A Python-based tunneler, Snowglaze creates a secure, authenticated WebSocket tunnel to the attackers’ command-and-control (C&C) server, facilitates SOCKS proxy operations, and hides malicious traffic. Snowbasin is a persistent backdoor functioning as a local HTTP server that supports command execution, screenshot capture, and data harvesting. “The UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a foothold into environments. […] By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic,” GTIG notes. Related: Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions Related: New Wiper Malware Targeted Venezuelan Energy Sector Prior to US Intervention Related: Google Warns of New Campaign Targeting BPOs to Steal Corporate Data Related: Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire US Federal Agency’s Cisco Firewall Infected With ‘Firestarter’ BackdoorBitwarden NPM Package Hit in Supply Chain AttackCloudsmith Raises $72 Million in Series C FundingRilian Raises $17.5 Million for AI-Native Security OrchestrationLuxury Cosmetics Giant Rituals Discloses Data BreachApple Patches iOS Flaw Allowing Recovery of Deleted ChatsRecent Microsoft Defender Vulnerability Exploited as Zero-DayNew Wiper Malware Targeted Venezuelan Energy Sector Prior to US Intervention Latest News Energy and Water Management Firm Itron HackedEasily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessUS Launches Sweeping Crackdown on Southeast Asia Cyberscams and Sanctions Cambodian SenatorFirefox Vulnerability Allows Tor User FingerprintingChina-Linked APT GopherWhisper Abuses Legitimate Services in Government AttacksPre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsIn Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security DeviceWhy Cybersecurity Must Rethink Defense in the Age of Autonomous Agents Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveNeill Feather has been named Chief Executive Officer at Point Wild.Oasis Security has appointed Michael DeCesare as President.Sterling Wilson has joined IGEL as Global Field CTO, Business Continuity and Disaster Recovery.More People On The MoveExpert Insights Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Snowbelt
• malware — Snowglaze
• malware — Snowbasin
• malware — Snow

Entities