**UNC6692** has been observed initiating attacks by overwhelming targets with spam emails, creating a sense of urgency. Subsequently, they approach the target on **Microsoft Teams**, posing as IT support to offer assistance with the email bombardment, according to a report by **Mandiant** (owned by **Google**). This tactic of combining email bombing with **Microsoft Teams**-based help desk impersonation has been previously associated with former **Black Basta** affiliates. Despite the ransomware group's shutdown last year, this approach remains prevalent. **ReliaQuest** reported that this method is actively used to target executives and senior-level employees, aiming for initial access to corporate networks for data theft, lateral movement, ransomware deployment, and extortion. Some attacks initiate chats within seconds of each other. The attackers aim to convince victims to install legitimate remote monitoring and management (RMM) tools, such as Quick Assist or Supremo Remote Desktop, to gain hands-on access and deploy further malicious payloads. ReliaQuest researchers John Dilgen and Alexa Feminella noted that from March 1 to April 1, 2026, 77% of incidents targeted senior-level employees, a rise from 59% in the previous two months. This highlights the enduring effectiveness of certain tactics. ### UNC6692's Unique Attack Chain The attack chain detailed by **Mandiant** differs slightly. Victims are directed to click a phishing link shared via **Teams** to install a "local patch" to resolve the spam issue. This leads to the download of an AutoHotkey script from an attacker-controlled AWS S3 bucket. The phishing page is disguised as "Mailbox Repair and Sync Utility v2.1.5." The script performs initial reconnaissance and installs **SNOWBELT**, a malicious Chromium-based browser extension, on the Edge browser in headless mode using the `--load-extension` command line switch. Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelley, and Muhammad Umair explained that the attacker uses a gatekeeper script to ensure payload delivery only to intended targets, evading automated security sandboxes.  If the user isn't using **Microsoft Edge**, a persistent warning overlay is displayed. **SNOWBELT** then downloads additional files, including **SNOWGLAZE**, **SNOWBASIN**, AutoHotkey scripts, and a ZIP archive containing a portable Python executable and libraries. The phishing page also hosts a Configuration Management Panel with a "Health Check" button. Clicking this prompts users to enter mailbox credentials, ostensibly for authentication, but actually to harvest and exfiltrate data to another Amazon S3 bucket. ### The SNOW Malware Ecosystem The **SNOW** malware suite is a modular toolkit. **SNOWBELT**, a JavaScript-based backdoor, receives commands and relays them to **SNOWBASIN** for execution. **SNOWGLAZE**, a Python-based tunneler, creates a secure, authenticated WebSocket tunnel between the victim's internal network and the attacker's command-and-control (C2) server. **SNOWBASIN** functions as a persistent backdoor, enabling remote command execution via "cmd.exe" or "powershell.exe," screenshot capture, file upload/download, and self-termination. It operates as a local HTTP server on ports 8000, 8001, or 8002. ### Post-Exploitation Activities After gaining initial access, **UNC6692** performs actions such as: * Scanning the local network for ports 135, 445, and 3389 for lateral movement. * Establishing a PsExec session via the **SNOWGLAZE** tunneling utility. * Initiating an RDP session via **SNOWGLAZE** from the victim system to a backup server. * Using a local administrator account to extract the system's LSASS process memory with Windows Task Manager for privilege escalation. * Employing the Pass-The-Hash technique to move laterally to domain controllers using elevated user password hashes. * Downloading and running **FTK Imager** to capture sensitive data (e.g., Active Directory database file) and exfiltrating it using LimeWire. **Mandiant** emphasized the campaign's interesting evolution in tactics, including social engineering, custom malware, and malicious browser extensions, exploiting user trust in enterprise software providers. They also highlighted the abuse of legitimate cloud services for payload delivery, exfiltration, and C2 infrastructure, allowing attackers to bypass traditional network reputation filters. ### Similar Campaigns The disclosure follows **Cato Networks**' report on a voice phishing campaign using similar help desk impersonation on **Microsoft Teams** to deploy a WebSocket-based trojan called **PhantomBackdoor** via an obfuscated PowerShell script.  **Cato Networks** stated that this incident demonstrates how help desk impersonation via **Microsoft Teams** can replace traditional phishing, leading to staged PowerShell execution and a WebSocket backdoor. They recommend treating collaboration tools as first-class attack surfaces, enforcing help desk verification workflows, tightening external **Teams** and screen-sharing controls, and hardening PowerShell. **Microsoft** has also warned about threat actors initiating cross-tenant communications via **Microsoft Teams** to establish interactive control using Quick Assist and other remote support tools for malicious code execution. Once inside, attackers perform reconnaissance and deploy payloads for outbound encrypted connections to C2 infrastructure.