Microsoft Teams Hacked by UNC6692 Hackers for SNOW Malware Deployment

Post Views: 8

Hacking Campaign Uses Microsoft Teams to Deploy Modular SNOW Malware

A sophisticated hacking group, identified as UNC6692, has launched a data theft campaign that leverages social engineering and a custom-built toolset, dubbed the SNOW ecosystem, to breach corporate networks.

According to the Google Threat Intelligence Group (GTIG), the operation commenced in late December 2025.

The attack chain begins with a tactic known as “bombing,” where the hackers flood a target’s inbox with thousands of messages, creating a diversion. While the victim is preoccupied with the email influx, the hackers initiate a Microsoft Teams notification that appears to come from the IT department. They offer a link to a supposed software update or patch, which actually leads to a credential-stealing webpage designed to mimic a Mailbox Repair Utility.

This webpage employs a psychological tactic, rejecting the initial two login attempts before accepting the correct credentials.

Modular Toolset:

SNOWBELT: A malicious browser extension serving as the primary entry point and command relay.
SNOWGLAZE: A Python-based tunneling tool establishing a covert connection to the attackers’ servers.
SNOWBASIN: A backdoor enabling remote command execution (RCE) through PowerShell or cmd.exe to execute system commands, capture device screenshots, and transfer stolen files.

Following the initial foothold, the attackers conduct an internal reconnaissance mission to identify connected computers and servers. Utilizing Python scripts, they scan the network for ports 135, 445, and 3389, primarily associated with file sharing and remote access, leading to the subsequent phase targeting the central servers managing user passwords.

In their pursuit of sensitive information, the attackers focus on the Local Security Authority Subsystem Service (LSASS) process memory on backup servers, stealing additional login credentials and performing lateral movement using the Pass-The-Hash technique. They then reach the Domain Controllers, allowing them to gain control, and subsequently utilize FTK Imager to mount local drives and extract the Active Directory database (NTDS.dit) along with registry hives like SAM, SYSTEM, and SECURITY.

Finally, they employ LimeWire to exfiltrate the extracted data.

This campaign showcases the evolving tactics employed by threat actors, leveraging legitimate cloud services to blend in with normal business activity, underscoring the importance of early detection as the most effective defense against such threats. As threat actors continually refine their methods, the capacity to correlate disparate indicators becomes increasingly crucial in countering these sophisticated attacks.