UNC6692 deploys Snow malware via Teams impersonation

UNC6692 conducts a campaign that impersonates IT helpdesk staff in Microsoft Teams messages, prompting victims to install malicious patches. The patches deploy the Snow malware suite, including the SnowBelt browser extension, SnowGlaze tunneler, and SnowBasin backdoor, establishing persistent WebSocket tunnels for command execution. The group also performs LSASS memory extraction, pass‑the‑hash authentication, and exfiltrates Active Directory data. Mandiant’s analysis provides indicators of compromise and YARA rules to detect the toolset, noting its use of headless browsers to evade detection. The operation highlights advanced tradecraft targeting credential theft and lateral movement toward domain controllers.