A newly identified threat cluster, UNC6692, is using sophisticated social engineering tactics through Microsoft Teams to infiltrate corporate environments and deploy a custom-built malware ecosystem. The campaign relies on impersonation of IT help desk personnel, tricking victims into accepting external Teams messages under the guise of resolving technical issues. Victims are often first overwhelmed with a flood of spam emails, creating urgency and confusion, before being contacted by attackers posing as support staff offering assistance.

Unlike earlier attack patterns that relied on remote monitoring tools such as Quick Assist or Supremo Remote Desktop, this campaign introduces a more advanced infection chain. Targets are directed to click a phishing link shared via Teams, leading to the download of a malicious AutoHotkey script disguised as a mailbox repair utility.

The attack then deploys a modular malware suite known as the “SNOW” toolkit. A key component, SNOWBELT, functions as a malicious browser extension installed on Microsoft Edge in headless mode, enabling command execution and communication with attacker infrastructure. Additional modules include SNOWGLAZE, which establishes encrypted tunnels between compromised systems and command servers, and SNOWBASIN, a persistent backdoor capable of executing system commands, capturing screenshots, and transferring files.

The campaign also uses phishing interfaces designed to harvest credentials. Victims are prompted to input mailbox login details under the pretense of system verification, with the data subsequently exfiltrated to attacker-controlled cloud storage. Following initial compromise, attackers conduct extensive post-exploitation activities. These include scanning networks for lateral movement opportunities, extracting credentials from system memory, and leveraging techniques such as pass-the-hash to gain access to domain controllers. Sensitive data is then collected and exfiltrated using tools like FTK Imager and Rclone.

The campaign highlights a growing trend in cyberattacks: the abuse of trusted enterprise platforms and legitimate cloud services to evade detection. By hosting malicious payloads on widely used infrastructure and leveraging common administrative tools, attackers are able to blend into normal enterprise activity and bypass traditional security controls.

The techniques observed in UNC6692 attacks reflect an evolution of tactics previously associated with ransomware groups, demonstrating that even after such groups disband, their methods continue to persist and adapt. The increasing focus on executives and senior-level employees further underscores the strategic intent to gain high-value access within organizations.

Security experts warn that collaboration platforms like Microsoft Teams are becoming primary attack surfaces. As attackers continue to exploit trust in enterprise communication tools, organizations are being urged to implement stricter verification processes, limit external communications, and strengthen monitoring of remote access and scripting activities.The emergence of UNC6692 and its advanced toolset signals a new phase in enterprise cyber threats where social engineering, custom malware, and legitimate services converge to create highly effective and difficult-to-detect attack chains.

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com