Inside the SNOW Operation: How UNC6692 Turned Microsoft Teams into a Breach Vector
Inside the SNOW Operation: How UNC6692 Turned Microsoft Teams into a Breach Vector
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Inside the SNOW Operation: How UNC6692 Turned Microsoft Teams into a Breach Vector
Google’s Mandiant has disclosed a previously undocumented threat cluster that weaponises everyday enterprise collaboration tools, a bespoke three-component malware suite, and trusted cloud infrastructure to achieve full domain compromise — without exploiting a single software vulnerability.
A newly documented threat cluster, designated UNC6692 by Google-owned Mandiant, has been observed conducting sophisticated, multi-stage intrusions against enterprise targets. The campaign — active at least since late December 2025 — relies entirely on social engineering, custom modular malware, and the systematic abuse of legitimate cloud services, foregoing traditional software exploits entirely. The operation’s defining characteristic is the misuse of Microsoft Teams as its primary phishing channel, a tactic that has grown steadily since former Black Basta ransomware affiliates popularised it.
Phase One: Manufactured Crisis
The attack opens with a calculated psychological manipulation. UNC6692 launches a mass email bombing campaign against its target, flooding the victim’s inbox with spam to create an artificial sense of emergency. With the victim distracted and overwhelmed, the threat actor then delivers the critical blow through an unexpected channel: Microsoft Teams.
Posing as an IT helpdesk employee from an external account, the attacker sends a Teams chat invitation. Because Teams is a trusted business tool — and because the victim is already under pressure from the inbox flood — the social engineering succeeds at a remarkably high rate. Once the chat is accepted, the victim is instructed to click a link to install a “local patch” to resolve the spam issue.
“As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organisation.” — Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelley & Muhammad Umair
It is worth noting that this combination of inbox flooding followed by Teams-based helpdesk impersonation was a hallmark of former Black Basta affiliates. Despite that ransomware group ceasing operations in early 2025, the playbook has shown no signs of slowing down.
Phase Two: Initial Access via AutoHotkey
The phishing link directs the victim to a convincing fake page named “Mailbox Repair and Sync Utility v2.1.5,” hosted on an attacker-controlled Amazon S3 bucket. Clicking proceeds to download a malicious AutoHotkey (AHK) script.
The choice of AutoHotkey is deliberate: the scripting language is not inherently malicious and is often overlooked by automated sandboxes, making it an effective initial-stage delivery vehicle. The AHK binary is named to match a script file in its current directory — a quirk of AutoHotkey’s execution model — causing the script to run automatically with no additional arguments upon download.
The script serves as a gatekeeper: it first performs local reconnaissance to verify it is operating in a genuine target environment rather than a security sandbox. If the environment passes the check, the script installs SNOWBELT — a malicious Chromium-based browser extension — by launching Microsoft Edge in headless mode with the --load-extension flag.
Should the victim not be using Edge, the phishing page surfaces a persistent overlay warning, pressuring them to switch browsers. Simultaneously, a prominent “Health Check” button on the phishing page prompts users to enter their mailbox credentials, which are silently harvested and exfiltrated to a second attacker-controlled S3 bucket.
# Simplified illustration of headless extension loading msedge.exe --headless --load-extension=C:\Users\...\SysEvents \ --no-first-run --disable-extensions-except=...
Phase Three: The SNOW Malware Ecosystem
Once SNOWBELT is installed, it downloads the remaining components of the SNOW toolkit, along with a portable Python environment and its dependencies packaged in a ZIP archive. The three components function as an integrated, coordinated pipeline:
| Component | Type | Role | Persistence |
|---|---|---|---|
| SNOWBELT | JavaScript browser extension | Initial foothold; intercepts C2 commands and relays them to SNOWBASIN for execution. Masquerades as “MS Heartbeat” or “System Heartbeat”. | Windows Startup folder shortcut + two Scheduled Tasks; headless Edge process |
| SNOWBASIN | Python local HTTP server | Persistent backdoor on ports 8000–8002; executes remote commands via cmd.exe/powershell.exe, captures screenshots, handles file transfer. |
Resident local service |
| SNOWGLAZE | Python WebSocket tunneler | Establishes an authenticated, Base64-encoded JSON WebSocket tunnel from the victim’s internal network to the attacker’s Heroku-hosted C2 server, blending into normal encrypted web traffic. | Runs via SNOWBASIN task chain |
The architecture is notable for its layered indirection: the browser extension communicates with a local HTTP service, which in turn connects outbound through a WebSocket tunnel to a cloud-hosted C2 — in this case a Heroku server. This design substantially complicates both network traffic analysis and forensic attribution.
Phase Four: Post-Compromise — Network Traversal and Domain Takeover
With a stable foothold established, UNC6692 proceeded through a methodical, APT-style internal network campaign:
A Python script executed via SNOWBASIN scanned the local network for open ports 135 (RPC), 445 (SMB), and 3389 (RDP) to identify additional targets and services.
Using the established SNOWGLAZE WebSocket tunnel, the attacker initiated a PsExec session and subsequently opened an RDP session from the victim’s machine to an internal backup server to expand access.
The attacker used a local administrator account on the backup server to extract LSASS process memory — a classic Living-off-the-Land (LoLBin) technique that is difficult for endpoint defences to block when initiated through built-in system tools. The extracted memory was exfiltrated for offline credential processing.
With NTLM credential hashes in hand, the attacker used Pass-the-Hash (PtH) to authenticate laterally to the Domain Controller without knowing plaintext passwords.
On the Domain Controller, the attacker deployed FTK Imager to extract the Active Directory database (NTDS.dit) along with the SYSTEM, SAM, and SECURITY registry hives — providing access to every credential in the domain.
Stolen data was exfiltrated using the LimeWire file upload tool. The attacker also captured screenshots of the domain controller before completing the operation.
Indicators of Compromise
Mandiant has released a full set of YARA rules alongside the disclosure to assist defenders in detecting the SNOW toolset. Security teams should incorporate these into their detection pipelines immediately.
Why This Campaign Is Significant
UNC6692’s operation is not remarkable for its use of novel zero-day vulnerabilities — it uses none. What makes it significant is the systematic exploitation of institutional trust: trust in Microsoft Teams as a secure business channel, trust in IT helpdesk communications, and trust in legitimate cloud platforms like AWS S3 and Heroku as benign network destinations.
By routing both payload delivery and exfiltration through these trusted services, UNC6692 blends malicious traffic into the enormous volume of legitimate cloud activity, effectively defeating reputation-based network filters. The modular SNOW architecture further complicates detection by distributing malicious behaviour across a browser extension, a local service, and a tunneling tool — none of which looks alarming in isolation.
Defensive Recommendations
- Treat Teams as a primary attack surface. Restrict or require approval for external Teams communications. Disable screen-sharing permissions for external accounts by default. Alert on chat invitations from outside the organisation accepted by senior employees.
- Establish IT helpdesk verification workflows. Require out-of-band verification (phone or ticketing system) before any helpdesk-initiated remote session or software installation. No legitimate helpdesk will object to this.
- Monitor browser extension activity. Alert on new Chromium/Edge extensions loaded outside the approved extension list, especially those installed via command-line flags (
--load-extension) or not sourced from the Chrome Web Store. - Detect headless browser launches. Monitor process creation for Edge or Chrome launched in headless mode (
--headless) by non-system processes, particularly from user-writable directories. - Restrict and monitor LSASS access. Enable Windows Credential Guard. Alert on any process — including Task Manager — opening a handle to the LSASS process for memory read access.
- Audit cloud egress traffic. Establish baselines for S3 and WebSocket egress. Anomalous uploads to AWS S3 buckets outside your organisation’s own infrastructure warrant immediate investigation.
- Apply YARA detections. Deploy Mandiant’s published YARA rules for SNOWBELT, SNOWBASIN, and SNOWGLAZE across endpoint detection and response (EDR) platforms.
