Google Threat Intelligence Group (GTIG) has published a detailed analysis of UNC6692, a newly tracked threat actor that uses Microsoft Teams phishing combined with email spam flooding to deploy a modular malware suite called the SNOW ecosystem. The attack chain begins with a fake IT helpdesk Teams message directing victims to a malicious landing page hosted on AWS S3, which delivers an AutoHotKey-based dropper. This installs SNOWBELT, a malicious Chromium browser extension acting as a backdoor; SNOWGLAZE, a Python-based WebSocket tunneler for C2 communication via Heroku; and SNOWBASIN, a Python bindshell acting as a local HTTP server for command execution. The campaign progresses through credential harvesting, LSASS memory dumping, Pass-the-Hash lateral movement to domain controllers, and full Active Directory database exfiltration via FTK Imager and LimeWire. YARA rules and IOCs are provided for detection.
Sort: