UNC6692 Uses Fake IT Helpdesk Teams Messages to Deploy SNOW Malware and Steal Active Directory Data

Context Google Threat Intelligence Group (GTIG) and Mandiant revealed the UNC6692 campaign on April 22, 2026, highlighting a sophisticated approach that exploits employee trust in collaboration tools. The attackers bypass traditional defenses by not relying on software vulnerabilities, instead manipulating users into installing malicious components.

Key Facts The campaign initiated in late December 2025 with an email bombing attack designed to overwhelm targets and create urgency. Following this disruption, UNC6692 sent targeted Microsoft Teams phishing messages, posing as IT helpdesk personnel offering assistance with the email issues. Victims, seeking help, accepted external chat invitations and clicked a link to a fraudulent “local patch” hosted on an attacker-controlled AWS S3 bucket.

This link led to a multi-phase infection. First, the site forced users to Microsoft Edge, then executed a fake “Health Check” to harvest credentials by requiring multiple password entries. While displaying a deceptive progress bar, the attackers staged malware: an AutoHotkey binary and script downloaded and executed, installing SNOWBELT. SNOWBELT is a malicious Chromium browser extension that establishes initial persistent access and command-and-control (C2) communication using domain generation algorithm (DGA)-based S3 URLs.

The SNOW ecosystem includes SNOWGLAZE, a Python-based WebSocket tunneler for routing TCP traffic, and SNOWBASIN, a Python local HTTP server for executing shell commands, capturing screenshots, and exfiltrating files. After initial access, UNC6692 used SNOWGLAZE-routed PsExec sessions to scan networks and dump Local Security Authority Subsystem Service (LSASS) process memory from backup servers, stealing password hashes. Attackers then used Pass-the-Hash techniques to authenticate directly to domain controllers. From the domain controller, the threat actor utilized FTK Imager to extract the Active Directory database (NTDS.dit) and key registry hives (SAM, SYSTEM, SECURITY). Both the LSASS dumps and Active Directory data were subsequently exfiltrated using LimeWire.

What Defenders Should Do Organizations must prioritize robust user awareness training, specifically addressing phishing attempts through collaboration platforms like Teams. Implement multi-factor authentication (MFA) across all accounts to mitigate stolen credential impact. Defenders should monitor endpoint activity for unusual process execution, such as AutoHotkey, PsExec, or unauthorized file transfer tools like LimeWire. Regular auditing of browser extensions for malicious installations and reviewing network traffic for suspicious C2 patterns are crucial. Restrict administrative privileges, segment networks to contain lateral movement, and monitor for unauthorized access attempts to sensitive systems like domain controllers or the NTDS.dit file.

Organizations should remain vigilant against social engineering tactics exploiting trust in everyday tools.