Threat group UNC6692 is utilizing social engineering tactics, including email bombing and Microsoft Teams helpdesk impersonation, to deploy a sophisticated custom malware suite named "Snow." This suite consists of three primary components: SnowBelt, a malicious browser extension; SnowGlaze, a WebSocket-based tunneler; and SnowBasin, a Python-based backdoor designed for command execution and data exfiltration.
Once persistence is established via headless browser instances and startup shortcuts, attackers perform internal reconnaissance and lateral movement using pass-the-hash techniques. The ultimate goal involves deep network compromise and domain takeover, culminating in the exfiltration of Active Directory databases and registry hives using tools like FTK Imager and LimeWire.