UNC6692 Uses Fake IT Helpdesk Teams Messages to Deploy SNOW Malware

Starting in late December 2025, UNC6692 flooded target inboxes with spam to create urgency, then sent a Teams chat posing as IT support offering to fix the email overload. Victims who accepted the external chat were directed to a phishing page masquerading as a “Mailbox Repair and Sync Utility.” The page forced use of Microsoft Edge, harvested credentials via a fake health‑check prompt, displayed a distraction progress bar, and dropped an AutoHotkey binary that installed the SNOWBELT extension. No software vulnerability was exploited; the attack abused legitimate Teams external collaboration features.

- SNOWBELT is a JavaScript browser extension that provides the initial foothold, relays C2 commands, and uses domain‑generation‑algorithm (DGA) based Amazon S3 URLs for command and control. - The SNOW ecosystem includes SNOWGLAZE (a Python WebSocket tunneler that routes traffic through a SOCKS proxy to Heroku) and SNOWBASIN (a local HTTP server on port 8000 that executes commands, captures screenshots, and exfiltrates files). - Persistence was achieved via a Windows Startup folder shortcut, two scheduled tasks, and a headless Edge process silently loading the extension. - After foothold, attackers used SNOWBASIN to scan for ports 135, 445, 3389, leveraged PsExec through the SNOWGLAZE tunnel to enumerate administrators, initiated RDP to a backup server, dumped LSASS memory via Task Manager, and exfiltrated the hash dump with LimeWire. - Offline credential extraction enabled Pass‑the‑Hash attacks on domain controllers, where FTK Imager was used to pull NTDS.dit, SAM, SYSTEM, and SECURITY hives, also exfiltrated via LimeWire. - EDR telemetry captured screenshots of FTK Imager and Edge windows, confirming data theft. - All payloads and exfiltration channels relied on trusted cloud services: AWS S3 for payload staging and C2, Heroku for SNOWGLAZE, and LimeWire for data removal.

Organizations must treat unexpected external Teams messages as high‑risk, even when they appear benign. Detect and block: - External chat invitations from unverified domains (MITRE ATT&CK T1566.002). - Downloads of AutoHotkey or unsigned binaries from S3 (T1105). - Persistence mechanisms: Startup folder shortcuts, scheduled tasks, and hidden Edge processes (T1547.001, T1053.005). - C2 traffic to DGA‑styled S3 URLs and WebSocket connections to Heroku (T1071.001, T1090). - Unusual LSASS access or memory dumping via Task Manager (T1003.001). - Large file uploads to consumer‑grade sharing tools like LimeWire (T1041). Mitigations include enforcing Teams external‑access policies, enabling Safe Links and Safe Attachments, blocking unsigned executables, monitoring S3 bucket access patterns for DGA domains, and deploying credential‑dumping detectors. Security teams should also review RDP and PsExec logs for lateral movement.