Social Engineering Campaign Exposed by Researchers: UNC6692 Team

Post Views: 8

Microsoft Teams Used For Help Desk Impersonation

A previously undocumented threat activity cluster, known as UNC6692, has been observed using Microsoft Teams impersonation to deploy a custom malware suite on compromised systems.

According to research by ReliaQuest, senior-level employees accounted for 77% of observed incidents from March 1 to April 1, 2026, a significant increase from 59% in the first two months of 2026.

The group has been linked to a large-scale campaign targeting employees at various organizations, with a focus on executives and senior-level personnel. This campaign relies on social engineering, trusted collaboration tools, and legitimate cloud services to gain access, move laterally, and exfiltrate data from enterprise networks.

The group uses Microsoft Teams impersonation to trick victims into accepting chat invitations from outside their organizations.
Victims are instructed to install legitimate remote monitoring and management tools, such as Quick Assist or Supremo Remote Desktop, which provides attackers with hands-on access to the system.
The attackers use a gatekeeper script to deliver payloads to intended targets while evading automated security sandboxes.
The phishing page serves a configuration management panel with a prominent “Health Check” button, prompting users to enter mailbox credentials under the appearance of authentication, which are actually harvested and exfiltrated to another Amazon S3 bucket.

Malware Ecosystem Components

Mandiant researchers have identified several components of the broader malware ecosystem used by UNC6692:

SNOWBELT: a JavaScript-based backdoor that receives commands and relays them to SNOWBASIN for execution.
SNOWGLAZE: a Python-based tunneller that creates a secure, authenticated WebSocket tunnel between the victim’s internal network and the attacker’s command-and-control server.
SNOWBASIN: a persistent backdoor that enables remote command execution through cmd.exe or powershell.exe, screenshot capture, file upload, and more.

Once initial access is gained, the attackers use a Python script to scan local networks for specific ports, establish PsExec sessions through the SNOWGLAZE tunnelling utility, and initiate RDP sessions from victim systems to backup servers. They also use a local administrator account to extract LSASS process memory through Windows Task Manager for privilege escalation and then use pass-the-hash techniques to move laterally to domain controllers.