The UNC6692 campaign, identified by Google’s Threat Intelligence Group, is a multi-stage intrusion that combines social engineering with a custom malware suite known as “Snow.”
It starts with attackers posing as IT helpdesk staff through tools like Microsoft Teams, then unfolds through a sequence of payload delivery, persistence techniques, and internal reconnaissance to maintain access inside the environment.
The Snow malware suite works as a set of connected parts that move an attack forward. It starts by gaining access through a web browser, then keeps a hidden line of communication open with outside systems, and finally carries out actions on the infected device through a backdoor.
Together, this setup lets attackers go beyond the initial breach, giving them room to move deeper into systems and eventually access sensitive data.
Why It Matters: This campaign shows how widely used enterprise tools and routine workflows can be repurposed to introduce malware and sustain access. By blending into normal activity and trusted cloud traffic, it makes detection and response far more difficult.
- Coordinated Social Engineering and Phishing Workflow: Attackers initiated contact through email flooding to create confusion, then followed with a Microsoft Teams message posing as IT support. Victims were directed to a phishing page that enforced conditions such as a required email parameter and Microsoft Edge usage. A staged login process prompted users to enter credentials multiple times, improving accuracy of stolen data, which was then transmitted to attacker-controlled cloud storage.
- Structured Infection Chain Using AutoHotKey and Browser Extensions: The phishing page delivered files from an AWS S3 bucket, including an AutoHotKey executable and script that executed automatically when named identically. This led to the installation of SNOWBELT, a malicious browser extension. Persistence was maintained through startup shortcuts and scheduled tasks, including launching a hidden Microsoft Edge instance that continuously loaded the extension and managed its execution.
- Integrated Malware Ecosystem Enabling Command Execution and Control: The Snow toolkit consists of SNOWBELT, SNOWGLAZE, and SNOWBASIN. SNOWBELT operates inside the browser, relaying commands and maintaining access. SNOWGLAZE establishes a WebSocket tunnel that supports proxying of network traffic and communication with external infrastructure. SNOWBASIN runs as a local HTTP server, executing system commands, capturing screenshots, handling files, and returning results through the same communication path.
- Internal Reconnaissance and Privilege Escalation Techniques: After gaining access, attackers scanned the network for services such as SMB and RDP using Python scripts. They used PsExec to execute commands remotely and identified administrative accounts. Credential extraction was performed by dumping LSASS memory, followed by pass-the-hash authentication to access additional systems, including domain controllers.
- Data Extraction Through Trusted Tools and Cloud Infrastructure: Once elevated access was achieved, attackers used FTK Imager to collect Active Directory data, including NTDS.dit and registry hives such as SAM and SYSTEM. These files were staged locally and exfiltrated through cloud services and tools like LimeWire. Command-and-control communication relied on AWS S3 and WebSocket connections, with encryption and encoding techniques used to blend traffic with normal activity.
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
