UNC6692 Spreads 'Snow' Malware via Email Bombing and Social Engineering Tactics

Post Views: 12

UNC6692 Uses Bombing, Social Engineering to Deploy Snow Malware

A sophisticated threat actor has been observed employing a multi-stage attack campaign involving email bombing and social engineering to deploy a complex malware framework called Snow.

The attack, attributed to the UNC6692 group, targets organizations by initially overwhelming victims with emails and then convincing them to execute malicious code, according to a report by the Google Threat Intelligence Group (GTIG).

Attack Campaign Details

In December 2025, UNC6692 began targeting its victims by sending a barrage of emails and posing as an IT support employee via Microsoft Teams.

The attackers pretended to assist with the large volume of incoming emails, tricking the victim into clicking on a URL leading to a phishing page offering a fake mailbox repair utility.

This page checked for specific parameters in the link, verified the victim’s browser was Microsoft Edge, and presented a panel posing as the repair utility.

When the user clicked a ‘health check’ button on the page, they were presented with a fake authentication box intended to harvest and validate their credentials.

A fake progress bar was also displayed to avoid suspicion.

In the background, a script on the page established persistence by adding a shortcut to an AutoHotKey script to the Windows startup and creating two scheduled tasks to open a windowless Edge process and load Snowbelt.

Malware Deployment

The attackers used the malicious extension to gain access to the targeted system.

They used Snowglaze to establish a Sysinternals PsExec session to the system and enumerate administrator accounts.

One of these accounts was then used to initiate a Remote Desktop Protocol (RDP) session to a backup server via the Snowglaze tunnel.

Although not directly observed, the threat actor may have acquired the local administrator accounts’ credentials via multiple attack paths such as authenticated Server Message Block (SMB) share enumeration.

Data Exfiltration and Domain Control Access

The threat actor then dumped the LSASS process memory from the backup server and exfiltrated it via LimeWire to extract usernames, passwords, and user account hashes from it.

Subsequently, UNC6692 used Pass-The-Hash to access the network’s domain controller.

Snow Malware Framework

The Snow malware framework, consisting of Snowbelt, Snowglaze, and Snowbasin, forms a coordinated pipeline that facilitates the attacker’s journey from initial browser-based access to the internal network of the organization.

Snowbelt intercepts commands and delivers them to Snowbasin for execution, providing authenticated access to the environment and enabling lateral movement and privilege escalation.
Snowglaze creates a secure, authenticated WebSocket tunnel to the attackers’ command-and-control (C&C) server, facilitates SOCKS proxy operations, and hides malicious traffic.
Snowbasin functions as a persistent backdoor, supporting command execution, screenshot capture, and data harvesting.

Hosted Malicious Components on Trusted Cloud Platforms

By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic, as demonstrated by the UNC6692 campaign.

This highlights the importance of implementing robust security measures to prevent similar attacks in the future.