UNC6692 Uses Email Bombing and Fake Teams IT Scam to Deploy SNOW Malware

TL;DR: UNC6692 launched a late‑December 2025 email‑bombing campaign that used fake Microsoft Teams IT messages to deliver the SNOW malware suite, stealing credentials and moving laterally to domain controllers.

Context The operation began when victims received thousands of junk emails, flooding their inboxes. While they sorted the deluge, a Teams message appeared from a sender posing as IT helpdesk, offering a link to a patch that would stop the spam.

Key Facts Clicking the link led to a counterfeit Mailbox Repair Utility that rejected the first two login attempts, then prompted users to download an AutoHotkey binary and script. This payload installed SNOWBELT, a malicious browser extension that receives commands from the attackers. SNOWGLAZE, a Python‑based tunneler, maintained a covert channel to command‑and‑control servers. SNOWBASIN, the final backdoor, executed PowerShell or cmd.exe commands, captured screenshots, and prepared data for exfiltration. Attackers scanned internal networks for ports 135, 445, and 3389, located backup servers, and dumped the LSASS process to harvest password hashes. Using Pass‑the‑Hash, they moved to domain controllers, mounted drives with FTK Imager, extracted the NTDS.dit file and registry hives, and exfiltrated the archive via LimeWire. The campaign, first observed in late December 2025, demonstrates a modular, cross‑platform toolset that blends with normal traffic by abusing legitimate cloud services.

What It Means The technique forces defenders to correlate events across browser extensions, local Python execution, and cloud egress points to spot the intrusion early. Traditional email filters miss the bombing volume, and Teams messages from trusted contacts bypass many security controls. The use of living‑off‑the‑land binaries (PowerShell, cmd.exe, AutoHotkey) and legitimate‑looking utilities reduces the footprint of malicious files, making signature‑based detection less effective.

Mitigations - Deploy email gateway rules that flag sudden spikes in inbound messages from external sources and quarantine them for review. - Enable Teams audit logging and alert on messages containing URLs from unverified domains or from users outside the approved contact list. - Block execution of AutoHotkey scripts and unsigned browser extensions via application control policies. - Monitor for anomalous PowerShell or cmd.exe processes that invoke SNOWGLAZE‑like tunneling behavior (MITRE T1059.001) and for LSASS access attempts (T1003.001). - Restrict outbound connections to known cloud storage services and inspect traffic for unusual upload patterns indicative of LimeWire or similar P2P clients. - Enforce MFA on all privileged accounts and consider adopting credential‑guard protections to limit Pass‑the‑Hash effectiveness. - Apply the latest patches for CVE‑2024‑XXXXX (if any) affecting the Mailbox Repair Utility spoof, and keep extension allow‑lists up to date.

To stay ahead, watch for further refinements in modular malware that reuse legitimate collaboration platforms for initial access and for increased automation of credential‑harvesting pipelines.