Threat group UNC6692 is employing sophisticated social engineering tactics, including email bombing and Microsoft Teams impersonation, to deploy a new malware suite named “Snow.” Disguised as IT helpdesk agents, attackers trick victims into installing a malicious dropper that loads a Chrome extension called SnowBelt. This suite also includes SnowBasin, a Python-based backdoor, and SnowGlaze, a WebSocket-based tunneler used to mask command-and-control (C2) communication.
Once established, the malware facilitates persistent access, remote shell execution, and data exfiltration. Mandiant researchers observed attackers performing internal reconnaissance, dumping LSASS memory for credentials, and moving laterally to domain controllers. In the final stages, the actors utilized tools like FTK Imager to extract the Active Directory database and exfiltrated sensitive data via LimeWire, highlighting a high-risk path from initial social engineering to full domain compromise.