A new threat group identified as UNC6692 is exploiting Microsoft Teams and fake helpdesk impersonation to deploy custom Snow malware and steal sensitive corporate credentials from targeted organizations.

Key Points

• The UNC6692 group initiates attacks by flooding target organizations with email traffic before posing as IT support via Microsoft Teams to offer assistance.
• Victims are directed to a fraudulent "Mailbox Repair Utility" page that uses a double-entry password trick to capture credentials and ensure accuracy.
• The attack deploys a modular malware ecosystem consisting of SnowBelt, a browser-based backdoor; SnowGlaze, a Python tunneler; and SnowBasin, a remote bindshell.
• Malicious activity is disguised as legitimate web traffic by wrapping data in JSON objects and Base64 encoding it for transfer through WebSocket tunnels.
• Google Threat Intelligence Group reports that the campaign, observed in late December 2025, successfully establishes persistent footholds on victim endpoints.

Why it Matters

This campaign highlights the growing sophistication of social engineering tactics that leverage trusted communication platforms like Microsoft Teams to bypass traditional security perimeters. By combining human manipulation with modular, stealthy malware, attackers can gain deep, persistent access to corporate networks while appearing as legitimate internal support staff.