A New Threat Actor With a Sophisticated Playbook
Google Threat Intelligence Group (GTIG) has published details on a previously undocumented threat actor it tracks as UNC6692, describing a multi-stage campaign that combines high-volume email harassment with targeted social engineering to deliver a modular malware framework the researchers call Snow. The activity was first observed in December 2025.
The campaign's opening move is straightforward but disorienting for victims: attackers flood a target's inbox with a large volume of email messages, creating enough noise to prompt the target to seek technical help. UNC6692 then capitalises on that confusion by reaching out to the victim directly through Microsoft Teams, posing as an IT helpdesk employee offering to resolve the problem.
The Phishing Chain: From Fake Repair Tool to Browser Backdoor
Pretending to assist with the email overload, the attackers persuade the victim to click a URL pointing to a purpose-built phishing page. That page presents a counterfeit mailbox repair utility. Before rendering the fake tool, the page performs two checks: it verifies that an email parameter is present in the link and confirms that the visitor is using Microsoft Edge as their browser.
Once both conditions are satisfied, a panel imitating a legitimate repair utility is displayed. When the user clicks a 'health check' button, they are shown a fake authentication dialog designed to harvest and validate their credentials. A bogus progress bar keeps the illusion alive and discourages suspicion while work continues in the background.
Behind the scenes, a script embedded in the page silently downloads an AutoHotKey binary and an accompanying AutoHotKey script to the victim's machine. Once executed, those payloads deploy a JavaScript-based backdoor named Snowbelt, installed as a Chromium browser extension.
Establishing Persistence
To ensure Snowbelt survives reboots and stays active, the malicious code takes several persistence steps:
- Adds a shortcut to an AutoHotKey script in the Windows startup folder.
- Creates two scheduled tasks — one to open a windowless Edge process and load Snowbelt, and another to terminate headless Edge processes.
With persistence in place, the extension is then used to pull down additional payloads from an attacker-controlled AWS S3 bucket. Those payloads include further AutoHotKey scripts, a ZIP archive, the Snowglaze tunnel, and the Snowbasin malware.
Reconnaissance, Lateral Movement, and Credential Theft
With a foothold established, UNC6692 shifts to active network exploitation. The group used Snowglaze to set up a Sysinternals PsExec session on the compromised system and enumerate administrator accounts. Using one of those accounts, the attackers then opened a Remote Desktop Protocol (RDP) session to a backup server, routing the connection through the Snowglaze tunnel.
GTIG notes that while the exact credential acquisition method was not directly observed, the threat actor may have obtained local administrator credentials through multiple paths, including "authenticated Server Message Block (SMB) share enumeration."
From the backup server, UNC6692 dumped the LSASS process memory and exfiltrated it using LimeWire to extract usernames, passwords, and user account hashes. The attackers then leveraged a Pass-The-Hash technique to access the network's domain controller.
On the domain controller, UNC6692 downloaded FTK Imager, mounted the local storage drive with it, and wrote the Active Directory database file, the Security Account Manager (SAM), and the System and Security registry hives to the \Downloads folder. That data was then exfiltrated via LimeWire as well.
Inside the Snow Malware Framework
GTIG describes the three core components of the Snow framework as forming "a coordinated pipeline that facilitates an attacker's journey from initial browser-based access to the internal network of the organization." Each component plays a distinct role:
Snowbelt
Snowbelt is the JavaScript-based browser extension that serves as the initial implant. It intercepts commands and forwards them to Snowbasin for execution, while also providing authenticated access to the compromised environment to enable lateral movement and privilege escalation.
Snowglaze
Snowglaze is a Python-based tunneler that establishes a secure, authenticated WebSocket tunnel to the attackers' command-and-control (C&C) server. It facilitates SOCKS proxy operations and obscures malicious traffic by blending it with normal communications.
Snowbasin
Snowbasin is a persistent backdoor that operates as a local HTTP server. Its capabilities include command execution, screenshot capture, and data harvesting, making it the workhorse for hands-on post-exploitation activity.
Cloud Infrastructure as Camouflage
One notable aspect of the UNC6692 campaign is its deliberate use of trusted cloud platforms — specifically AWS S3 — to host malicious components. GTIG highlights this tactic as a calculated means of evading detection:
"By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic."
This approach is increasingly common among sophisticated threat actors who understand that many security tools rely on domain or IP reputation rather than deep content inspection. Legitimate cloud storage services generate so much traffic that individual malicious requests can easily go unnoticed.
Broader Implications
The UNC6692 campaign illustrates how threat actors are evolving their initial access methods beyond simple phishing emails. By combining a denial-of-inbox style email bombing attack with real-time social engineering over Microsoft Teams, the group manipulates victims in a way that feels both urgent and credible — exactly the conditions under which people are most likely to bypass their own security instincts.
The modular design of the Snow framework also signals a level of operational maturity. Rather than relying on a single monolithic implant that might trigger detection, UNC6692 stages its capabilities across three distinct tools, each with a narrow role, allowing the group to adapt, replace components, or limit exposure if one element is detected.
GTIG's assessment underscores the need for organisations to treat employee awareness of vishing and Teams-based impersonation as a first-line defence, alongside technical controls for monitoring browser extensions, scheduled tasks, and outbound tunnelling activity.
Source: SecurityWeek