A new threat dubbed UNC6692 has been identified by Google Threat Intelligence Group (GTIG) for its tactic of flooding targets with emails and masquerading as IT support to deploy malicious software.
Email Flooding and Pretend IT Support
In December 2025, UNC6692 was observed inundating targets with numerous emails. The group then reached out to victims through Microsoft Teams, posing as IT support personnel to deceive them into clicking a link to a fake mailbox repair page.
This phishing page, disguised as a utility, checked for specific parameters in the email link and confirmed the use of Microsoft Edge. Once verified, it prompted the user to perform a ‘health check,’ which was a guise to capture their credentials.
Malicious Payload Deployment
Simultaneously, the fake page executed a script to download and run an AutoHotKey binary and script. This action installed the Snowbelt backdoor, a JavaScript-based malware, as a Chromium browser extension on the user’s system.
The attackers ensured persistence by adding shortcuts to the Windows startup and scheduling tasks to open a hidden Edge process that loads Snowbelt. This setup allowed them to download further malicious payloads from an AWS S3 bucket they controlled.
Network Infiltration and Data Exfiltration
Using Snowglaze, a Python-based tunneler, UNC6692 established a connection to the targeted system. They conducted reconnaissance and lateral movement by initiating a Remote Desktop Protocol session to a backup server and accessing administrator accounts.
The threat actors extracted sensitive information by dumping process memory and used LimeWire for data exfiltration. They leveraged Pass-The-Hash to infiltrate the network’s domain controller and utilized FTK Imager to access and exfiltrate critical registry files.
The Snow Malware Framework
The Snow malware framework, composed of Snowbelt, Snowglaze, and Snowbasin, facilitates attackers’ access from initial entry to internal network operations. Snowbelt executes commands and provides access for privilege escalation, while Snowglaze creates a secure connection for data transfer.
Snowbasin acts as a persistent backdoor, offering capabilities like command execution and data harvesting. This comprehensive system underscores how attackers integrate social engineering with technical stealth to penetrate secure environments.
The UNC6692 campaign exemplifies modern cyber threats’ sophistication, leveraging trusted platforms to bypass traditional defenses. As cyber threats evolve, organizations must adapt their security strategies to mitigate such risks effectively.
