Do Son 
The SNOW ecosystem | Image: GTIG
A sophisticated new threat actor, UNC6692, is redefining the art of the initial breach. According to a recent report from the Google Threat Intelligence Group (GTIG), this group has successfully orchestrated a series of multistage intrusions by blending high-pressure social engineering with a custom-built, modular malware suite designed to hide in plain sight.
What makes UNC6692 particularly dangerous is its ability to weaponize the inherent trust users place in major enterprise software providers.
The campaign typically begins with an “email bomb”—a massive wave of messages designed to overwhelm and distract the target. Shortly after, the attacker strikes via Microsoft Teams, posing as helpful IT helpdesk personnel offering a “local patch” to stop the spam.
As the report details, “UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization”.
Clicking the link directs the victim to a landing page masquerading as a professional “Mailbox Repair Utility”. This site uses a psychological “double-entry” trick—rejecting the first two password attempts to convince the user the site is performing real-time validation, while ensuring the attacker captures the password twice to avoid typos.
While the victim watches a fake progress bar complete “technical tasks,” the attacker is busy establishing a persistent foothold using the coordinated “SNOW” ecosystem. This trio of tools works in a coordinated pipeline to facilitate everything from initial access to full network penetration.
| Component | Role | Functionality |
| SNOWBELT | Browser Extension |
A Chromium-based backdoor that serves as the “eyes” of the operation, intercepting commands and maintaining persistence. |
| SNOWGLAZE | Python Tunneler |
Creates an authenticated WebSocket tunnel to mask malicious traffic as standard encrypted web traffic. |
| SNOWBASIN | Python Bindshell |
Acts as a persistent local HTTP server, enabling remote command execution, screenshots, and data staging. |
Once the SNOW ecosystem is active, UNC6692 demonstrates “deft pivoting inside the victim’s environment”. The attackers move laterally using a combination of PsExec and RDP sessions through their established tunnels.
The mission reaches its peak when the threat actor accesses a backup server to extract LSASS process memory, which contains user credentials and hashes. Armed with these, they use Pass-The-Hash to move to the Domain Controllers, where they eventually exfiltrate the entire Active Directory database.
A critical element of UNC6692’s success is their “living off the cloud” strategy. By hosting malicious components on trusted platforms like AWS S3 and Heroku, they easily bypass traditional network reputation filters.
“This ‘living off the cloud’ strategy allows attackers to blend malicious operations into a high volume of encrypted, reputably sourced traffic, making detection based on domain reputation or IP blocking increasingly ineffective,” the report concludes.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
