Notebookcheck Logo

Hackers impersonate Microsoft Teams staff to deploy SNOW malware

UNC6692 is exploiting Microsoft Teams' external collaboration features to impersonate IT helpdesk staff and deliver a custom malware suite.
ⓘ Freepik.com/drobotdean
UNC6692 is exploiting Microsoft Teams' external collaboration features to impersonate IT helpdesk staff and deliver a custom malware suite.
Threat group UNC6692 is using Microsoft Teams IT impersonation and mass email bombing to deploy the SNOW malware toolkit and steal credentials from enterprise networks.
Windows Software Security Microsoft Laptop Desktop Business

A newly identified threat group is using Microsoft Teams to pose as IT helpdesk staff, bomb corporate inboxes with spam, and then deploy a custom malware suite on enterprise networks. Google Threat Intelligence Group and Mandiant disclosed the campaign, attributing it to a cluster they are tracking as UNC6692.

How UNC6692 gets in

According to the report, the attack starts with a mass email bombing run against the target, flooding their inbox to manufacture a sense of crisis. An attacker then reaches out through Microsoft Teams from an external account, claiming to be IT support and offering to fix the spam problem. 

Additional reporting relayed that employees who accept the chat invitation are sent a phishing link that takes them to a convincing fake page called "Mailbox Repair and Sync Utility v2.1.5."

A fake Health Check button on that page harvests their mailbox credentials and ships them straight to an attacker-controlled AWS S3 bucket. According to Mandiant, an AutoHotKey script also downloads silently in the background and begins installing the group's malware toolkit.

What SNOW actually does

The toolkit has three components, as per the report findings. SNOWBELT is a malicious Chromium browser extension that disguises itself as "MS Heartbeat" or "System Heartbeat" and acts as the primary backdoor. 

SNOWGLAZE is a Python-based tunneler that pushes traffic through the victim's machine to the group's command-and-control server over WebSocket. It wraps data in Base64-encoded JSON to make it look like standard encrypted web traffic. 

SNOWBASIN sits underneath all of it as a persistent backdoor, giving the attacker remote command execution, screenshot capture, and file access on demand. Together, Mandiant says the three components give UNC6692 a quiet, durable foothold that blends into routine browser and network activity.

Where it goes from there

From the initial foothold, the group scans the local network for open ports and pivots toward domain controllers using Pass-the-Hash with stolen NTLM password hashes. According to Mandiant, the group extracts LSASS process memory from a backup server and exfiltrates it via LimeWire, pulling credentials out of the victim environment for offline processing.

Once on a domain controller, Mandiant says UNC6692 uses FTK Imager to pull the Active Directory database file, along with Security Account Manager and SYSTEM registry hives, then exfiltrates everything via LimeWire again before taking screen captures of the domain controller.

The report reveals that Microsoft Teams displays a warning when messages arrive from outside the organization. Any unsolicited external support request should be verified through a known internal channel before any access is granted.

Google LogoAdd as a preferred source on Google
Mail Logo
static version load dynamic
Loading Comments
Comment on this article

Related Articles

> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2026 04 > Hackers impersonate Microsoft Teams staff to deploy SNOW malware
Darryl Linington, 2026-04-24 (Update: 2026-04-27)