Snow Malware Suite Turns Microsoft Teams Into a Help Desk Trap
| Group | UNC6692 (financially motivated cluster, attribution unconfirmed beyond Mandiant tracking ID) |
| Type | Modular custom malware suite, browser extension plus Python tunneler plus Python backdoor |
| Malware | SNOWBELT (Chromium extension), SNOWGLAZE (WebSocket and SOCKS tunneler), SNOWBASIN (local HTTP backdoor) |
| Delivery | Email bombing followed by Microsoft Teams impersonation of internal IT helpdesk staff |
| Score | 7.5 High. Active campaign, novel TTP combination, broad enterprise relevance, no patch route because the access vector is human authorisation. |
| Observed | 28 April 2026 |
Overview
Google Threat Intelligence Group and Mandiant have disclosed a previously untracked threat cluster, UNC6692, deploying a custom three-stage malware suite known internally as Snow. The campaign first surfaced during an incident response engagement in December 2025, and was made public on 23 April 2026 alongside YARA rules and indicators of compromise. The actor's tradecraft combines a high volume email bombing burst with a follow up impersonation call inside Microsoft Teams, exploiting the trust users place in messages that appear to originate from an internal corporate tenant.
The Snow ecosystem is built around three interlocking components. SNOWBELT is a JavaScript backdoor delivered as a Chromium browser extension and disguised under benign names such as MS Heartbeat or System Heartbeat. SNOWGLAZE is a Python tunneler that opens an authenticated WebSocket channel to attacker infrastructure and offers SOCKS proxy services for arbitrary onward traffic. SNOWBASIN is a Python backdoor that listens locally on port 8000 and executes commands via cmd.exe or powershell.exe, capturing screenshots and staging files for exfiltration. The components are designed to chain together so that browser based command relay, network tunnelling, and host execution all share the same authenticated session.
UNC6692's post compromise activity is more aggressive than typical commodity intrusion sets. Once inside, the actor used Pass the Hash to reach a domain controller, deployed FTK Imager to capture the Active Directory database file along with the SAM, SYSTEM, and SECURITY registry hives, and exfiltrated the resulting bundle through LimeWire. The presence of a credential dumping pipeline alongside a custom remote access kit indicates this group is preparing infrastructure for repeat access, ransomware staging, or onward sale of domain credentials.
For defenders, the bottom line is that Snow renders most email centric controls irrelevant. The malicious link is not in the email burst itself, it is in a Teams chat that appears to come from the internal tenant. Anyone whose detection strategy still treats Microsoft Teams as a trusted internal channel should reassess immediately.
Key Details
Delivery Method – Email bombing of the target inbox to manufacture a support pretext, followed by an unsolicited Microsoft Teams chat from an attacker controlled identity impersonating IT helpdesk. The victim is directed to a phishing page hosted on Amazon S3 that offers a fake mailbox repair utility, which drops an AutoHotkey loader. The loader sideloads SNOWBELT into the user's Chromium based browser as an unpacked extension.
Target – Enterprise users in environments running Microsoft 365 and Microsoft Teams. No specific industry vertical has been confirmed in the disclosure, however the toolkit's reliance on Active Directory, FTK Imager, and Pass the Hash points squarely at organisations with on premises or hybrid identity estates.
Functions
- Browser based command relay through a malicious Chromium extension
- WebSocket tunnelling and SOCKS proxy for outbound traffic concealment
- Local HTTP backdoor offering remote shell, screenshot, and file exfiltration
- Credential theft via Pass the Hash and direct copy of NTDS.dit and registry hives
- Data staging and exfiltration through legitimate file transfer tooling
Obfuscation – C2 traffic blends with legitimate cloud usage by routing SNOWBELT communications through Amazon S3 buckets and SNOWGLAZE traffic through Heroku hosted WebSocket endpoints. Browser extension naming mimics genuine Microsoft monitoring components to evade casual user inspection.
Attack Vectors
Stage 1 Email Bombing. UNC6692 floods the victim inbox with thousands of subscription confirmations and newsletter signups. The intent is not to cause direct harm but to manufacture a plausible reason for the victim to welcome an inbound IT support contact. This is the same pretext pattern that Black Basta and several social engineering crews adopted in 2024, refined here with Teams as the contact channel.
Stage 2 Microsoft Teams Impersonation. The attacker then initiates a Microsoft Teams chat from an external tenant configured to display as an internal IT staff member. The actor offers to help clear the email flood and sends the victim a link to a phishing page hosted at a service-page-[ID]-outlook.s3.us-west-2.amazonaws.com URL. The page advertises a mailbox repair tool and walks the user through installing a Chromium browser extension.
Stage 3 Initial Implant. The download is an AutoHotkey script that writes SNOWBELT to disk as an unpacked Chromium extension and side loads it into the user's browser profile. SNOWBELT registers a long lived extension worker, beacons to a randomised Amazon S3 bucket of the form https://[hex]-[digits]-[digit].s3.us-east-2.amazonaws.com, and pulls down configuration data including the SNOWGLAZE and SNOWBASIN binaries.
Stage 4 Tunnelling and Backdoor. SNOWGLAZE establishes a WebSocket Secure tunnel to an attacker controlled Heroku application, observed in the disclosure as wss://sad4w7h913-b4a57f9c36eb[.]herokuapp[.]com:443/ws. SNOWBASIN binds a local HTTP server on port 8000 and accepts authenticated commands relayed through SNOWBELT and SNOWGLAZE. From this point the operator has interactive shell access, can run PowerShell or cmd.exe commands, and can capture screenshots or stage files for collection.
Stage 5 Credential Theft and Lateral Movement. Once a privileged account is reached, UNC6692 executes Pass the Hash to authenticate to the domain controller, downloads FTK Imager onto the controller, and uses it to copy the NTDS.dit Active Directory database alongside the SAM, SYSTEM, and SECURITY registry hives into a Downloads folder. The actor then runs LimeWire to ship the bundle to remote infrastructure for offline credential extraction.
Known Indicators of Compromise
Indicators may vary across campaigns and malware samples. Verify all IOCs against current threat feeds before actioning.
Domains and URLs
| Indicator | Type | Associated Component |
|---|---|---|
service-page-[ID]-outlook.s3.us-west-2.amazonaws[.]com/update.html?email= | Phishing page URL pattern | Initial dropper delivery |
[a-f0-9]{24}-[0-9]{6,7}-[0-9]{1}.s3.us-east-2.amazonaws[.]com | C2 URL pattern, Amazon S3 bucket naming | SNOWBELT |
sad4w7h913-b4a57f9c36eb[.]herokuapp[.]com | Heroku WebSocket C2 host | SNOWGLAZE |
wss://sad4w7h913-b4a57f9c36eb[.]herokuapp[.]com:443/ws | WebSocket Secure C2 endpoint | SNOWGLAZE |
Host Indicators
| Indicator | Type | Notes |
|---|---|---|
MS Heartbeat | Chromium extension display name | SNOWBELT masquerade |
System Heartbeat | Chromium extension display name | SNOWBELT masquerade |
Local listener on TCP port 8000 | Network behaviour | SNOWBASIN local HTTP backdoor |
FTK Imager execution on a domain controller | Tool abuse | UNC6692 post compromise credential capture |
LimeWire process execution | Tool abuse | Credential exfiltration channel |
Mandiant has published the full hash list and supporting YARA rules in the Google Threat Intelligence Group disclosure. Defenders should pull those signatures directly rather than relying on partial third party reproductions.
MITRE ATT&CK Mapping
| Technique ID | Technique Name | Application in This Campaign |
|---|---|---|
| T1566.003 | Phishing, Spearphishing via Service | UNC6692 contacts victims through Microsoft Teams external chat |
| T1204.001 | User Execution, Malicious Link | Victim clicks the S3 hosted fake mailbox repair page |
| T1176 | Browser Extensions | SNOWBELT installed as a malicious Chromium extension |
| T1059.001 | Command and Scripting Interpreter, PowerShell | SNOWBASIN executes PowerShell commands relayed from operator |
| T1059.003 | Command and Scripting Interpreter, Windows Command Shell | SNOWBASIN executes cmd.exe commands |
| T1090.001 | Proxy, Internal Proxy | SNOWGLAZE provides SOCKS proxy services for arbitrary onward TCP traffic |
| T1550.002 | Use Alternate Authentication Material, Pass the Hash | Lateral movement to domain controller using captured NTLM hashes |
| T1003.003 | OS Credential Dumping, NTDS | FTK Imager captures NTDS.dit and registry hives from domain controller |
| T1567.002 | Exfiltration Over Web Service, Cloud Storage | Stolen data shipped via LimeWire and S3 bucket infrastructure |
Mitigation and Prevention
Restrict External Microsoft Teams Federation
Disable or tightly scope external access in Microsoft Teams so that unsolicited chats from outside tenants cannot reach end users. In the Teams admin centre set External Access to allow only specific domains, and remove the default behaviour that permits any external Teams user to initiate a one to one chat.
Block Unmanaged Browser Extensions
Enforce Chromium extension allow listing through the ExtensionInstallAllowlist and ExtensionInstallBlocklist policies in Microsoft Edge, Google Chrome, and any other Chromium derivatives in use. Block extension installation outside the official store and audit existing extensions for the names MS Heartbeat and System Heartbeat.
Hunt for Local HTTP Listeners on Port 8000
SNOWBASIN binds an HTTP service on TCP port 8000 on the compromised host. Sweep your endpoint estate for unexpected local listeners on this port using EDR query language or a scheduled netstat collection, and treat any user workstation accepting inbound HTTP as suspect.
Detect WebSocket Traffic to Heroku and Unusual S3 Buckets
Add detections for sustained WebSocket Secure connections from end user workstations to herokuapp.com endpoints, and for HTTPS sessions to S3 buckets matching the SNOWBELT pattern of a 24 character hex prefix followed by numeric segments. Both patterns are unusual on a typical user device and provide high signal C2 indicators.
Monitor for FTK Imager and LimeWire on Servers
FTK Imager and LimeWire have no legitimate operational purpose on a production domain controller or member server. Add file write and process execution rules that alert immediately on these binaries appearing outside dedicated forensics workstations.
Harden Active Directory Against Pass the Hash
Enforce Protected Users group membership for tier zero accounts, deploy Local Administrator Password Solution to randomise local admin credentials, and disable NTLM where Kerberos can be used. These controls disrupt the lateral movement step that UNC6692 relies on after initial implantation.
Rehearse the Help Desk Pretext With End Users
Run a focused awareness exercise that simulates the email bombing plus Teams contact scenario. Train staff to verify any unsolicited helpdesk contact through a known internal channel before clicking links or installing software, regardless of whether the message arrives by email, Teams, or phone.
Risk Assessment
The Snow campaign is significant because it demonstrates a clean operational separation between the noise channel and the payload channel. Email security stacks see the bombing burst and respond with rate limiting or quarantine, while the actual compromise occurs through Microsoft Teams, which most organisations still treat as an inherently trusted internal medium. Any defender who has not extended phishing controls into Teams chat is effectively blind to this attack pattern.
The post compromise behaviour is what elevates Snow from nuisance to enterprise risk. A successful run produces a full Active Directory database extract along with registry hives needed for offline NTLM and Kerberos cracking. That output is the same artefact set that ransomware affiliates and access brokers monetise, suggesting either an internal monetisation model or onward sale to other criminal groups. Organisations that experience a Snow intrusion should assume domain wide credential compromise and plan a full Kerberos ticket reset along with KRBTGT account password rotation.
Mandiant's disclosure indicates that UNC6692's tooling is custom and not yet observed across multiple unrelated victims, however the techniques are highly reproducible. The combination of email bombing, Teams impersonation, browser extension implant, and FTK Imager based credential theft is now in the public domain, and copycat activity from other clusters is likely within weeks.
Conclusion
Treat Microsoft Teams as an external attack surface from this point forward. The single highest impact action a defender can take in response to Snow is to lock down external Teams federation, block unmanaged Chromium extensions, and audit for the SNOWBASIN local HTTP listener on port 8000 across the workstation fleet.
Snow makes clear how attackers are moving past the email gateway. When the malicious link arrives in a Teams chat from what looks like a colleague, the most expensive mail security stack in the world cannot help. Defence has to follow the conversation into the collaboration tool, or the conversation will continue to be where defenders lose.
Sources
- Google Cloud Blog – How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite (April 2026)
- BleepingComputer – Threat actor uses Microsoft Teams to deploy new Snow malware (April 2026)
- The Hacker News – UNC6692 Impersonates IT Help Desk via Microsoft Teams to Deploy SNOW Malware (April 2026)
- SecurityWeek – UNC6692 Uses Email Bombing, Social Engineering to Deploy Snow Malware (April 2026)
- Dark Reading – UNC6692 Combines Social Engineering, Malware, Cloud Abuse (April 2026)
- HackRead – UNC6692 Hackers Exploit Microsoft Teams to Deploy SNOW Malware (April 2026)
- The Register – Crime crew impersonates help desk, abuses Teams chats (April 2026)