Xcitium Logo

New ‘Snow’ Malware Threat Distributed via Microsoft Teams

The UNC6692 threat group is using Microsoft Teams to target corporate networks by deploying a new malware toolkit called Snow. This article examines the full attack chain, including the SnowBelt, SnowGlaze, and SnowBasin modules.

Kernel Isolate Snow Before It Spreads
  • April 27, 2026

What Are UNC6692 and Snow Malware?

UNC6692 is the name of the malicious threat group that relies on social engineering techniques using Microsoft Teams to breach corporate networks. The custom malware developed by the threat actors is referred to as “Snow” and includes three major parts: SnowBelt (a browser plugin), SnowGlaze (a tunneling application), and SnowBasin (a backdoor written in Python language).

It appears that the attackers’ goal is to access the corporate network environment and take over the control of domain controllers after harvesting credentials. Each module of the malware performs a particular function, but they all work in stealth mode in the browser’s background.

Xcitium Threat Labs
The Snow Malware
Infection Cycle.
UNC6692 leverages high-pressure MS Teams engineering to deploy a modular Python-based toolkit.
01 // SNOWBELT
Persistence
Browser extension hijacking via headless Edge orchestration.
02 // SNOWGLAZE
Tunneling
Python WebSocket agent creating encrypted SOCKS proxies to C2.
03 // SNOWBASIN
Backdoor
Local HTTP server for remote shell access and credential theft.
Infrastructure Stack
AWS S3 Cloud Staging
Heroku C2 Infrastructure
LimeWire Exfiltration
Critical Targets
SYSTEM_SCAN_PORT:[135,445,3389]
EXTRACT_LSASS_MEMORY:TRUE
DUMP_AD_DATABASE:NTDS.DIT

Social Engineering Attacks Through Microsoft Teams

Attackers launch a barrage of spam emails to fill up the target’s email box. Soon after, the attackers start communicating with the target via an external Microsoft Teams chat under the guise of IT help desk employees.

Under the pretense of helping the victim to fix the email issue, the cyber attackers lure the victim into clicking on a bogus update site. As an illustration, the attacker may ask the victim to go to the website “Mailbox Repair and Sync Utility” to fix the issue.

Creating an impression of urgency about the issue helps to ensure that the victim falls for their trap.

Infection Chain and Fake Update Page

During the attack, the user is shown a fake “Mailbox Repair and Sync Utility” page that features buttons such as “Health Check”, and asks the victim to enter their credentials in order to diagnose problems related to their mailbox.

Under the hood, a malicious AutoHotkey script running via an executable file stored on AWS S3 downloads scripts that help install the browser extension and run some reconnaissance on the host machine at the same time.

Once installed, SnowBelt ensures its persistence through:

  • Creation of a shortcut in the Startup directory
  • Creation of a scheduled task that opens up a headless Microsoft Edge with SnowBelt browser extension
  • Creation of a scheduled task that kills off Microsoft Edge processes without CoreUIComponents.dll module

This ensures the malware remains active and hidden across reboots.

Snow Toolkit Components and Their Functions

Modular design enables each module to have a specific purpose:

SnowBelt: Malicious extension for Chromium-based browsers that executes Microsoft Edge in headless mode to transfer attacker instructions to SnowBasin, as well as persist using startup capabilities and scheduled tasks.

SnowGlaze: Tunneling agent written in Python that creates an encrypted WebSocket tunnel connecting the victim computer with C2 server. The agent can serve as a SOCKS proxy to disguise its malicious actions.

SnowBasin: Python backdoor that serves as a local HTTP server, allowing execution of remote commands sent by the attacker through cmd.exe and PowerShell. Capabilities include:

  • Remote shell access
  • File upload/download
  • Screenshot capture
  • Self-termination

Advanced Attack Stages: Reconnaissance, Movement, and Data Theft

Once Snow is deployed, UNC6692 proceeds with broader network exploitation:

Port Scanning and Lateral Movement

Python scripts scan local networks for ports 135, 445, and 3389. Through SnowGlaze tunnels, attackers use PsExec and RDP to access additional systems remotely.

Privilege Escalation

With local administrator rights, attackers dump LSASS memory to extract user credentials. Using stolen hashes, they perform Pass-the-Hash attacks to compromise domain controllers.

Data Exfiltration

Using tools like FTK Imager, attackers copy critical files such as:

  • NTDS.dit (Active Directory database)
  • SAM
  • SECURITY registry hives

These files are then exfiltrated through tools and channels such as LimeWire.

Observed Techniques

One crucial element in this attack is the abuse of reputable cloud hosting services for conducting malicious activities:

  • Phishing emails and web pages that use AWS S3
  • WebSockets-based command-and-control infrastructure on Heroku

Through the use of reputable cloud hosting services, the malicious traffic becomes more easily hidden within typical enterprise traffic patterns.

Moreover, this type of email bombing along with a fake help desk service approach has been linked to various threat actors, including the notorious Black Basta group.

Conclusion: When a Help Desk Chat Becomes the Entry Point

The Snow campaign shows how modern intrusion chains no longer need noisy exploits to break into a corporate network. A flood of spam emails creates confusion. A fake Microsoft Teams help desk chat creates urgency. A bogus “Mailbox Repair and Sync Utility” page does the rest. From there, UNC6692 moves from user deception to browser persistence, encrypted tunneling, remote shell access, credential theft, and domain-level compromise.  

Why This Threat Matters

This attack is dangerous because it blends social engineering with a disciplined post-compromise toolkit.

  • External Teams chats are used to impersonate IT support during a moment of pressure.
  • A fake troubleshooting site captures credentials and triggers the malware chain.
  • SnowBelt, SnowGlaze, and SnowBasin work together to maintain persistence, tunnel traffic, and execute attacker commands quietly in the background.
  • The operation does not stop at one endpoint. It expands toward LSASS dumping, Pass-the-Hash activity, domain controller compromise, and theft of NTDS.dit and registry hives.

Why Organizations Stay Exposed

This campaign succeeds because it attacks both the human layer and the endpoint at the same time.

Teams messages feel familiar.
“Mailbox repair” sounds routine.
Cloud staging on AWS and C2 over Heroku blend into normal traffic patterns.

By the time the user realizes something is wrong, the attacker may already have persistence, tunnels, and credentials.

Where Xcitium Changes the Outcome

If you have Xcitium, this attack would NOT succeed.

With Xcitium Cyber Awareness Education and Phishing Simulation, the fake help desk story loses its power before the click. With Xcitium Advanced EDR, the execution chain breaks before browser hijacking, tunneling, and backdoor activity can become system compromise.

  • Users learn to challenge external “IT support” outreach and fake repair workflows
  • Unknown scripts, extensions, and payloads are intercepted at execution
  • Code can run without being able to cause damage
  • Credential theft, persistence, and follow-on lateral movement lose the runtime path they depend on

Stop the Chat Before It Becomes a Breach

Snow proves that one fake support conversation can become a full enterprise intrusion. Train users to break the pretext, then stop the malware at execution before the attacker turns trust into domain access.

Like what you see? Share with a friend.

Related Resources
North Korean Hackers Unleash ‘AkdoorTea’ Backdoor Against Crypto Developers
North Korean Hackers Unleash ‘AkdoorTea’ Backdoor Against Crypto Developers

North Korean hackers target crypto developers with a new ‘AkdoorTea’ backdoor via fake job offers. Crypto and blockchain developers are...

ClayRat Android Spyware: New Malware Masquerading as WhatsApp and TikTok
ClayRat Android Spyware: New Malware Masquerading as WhatsApp and TikTok

ClayRat is new Android spyware disguised as popular apps like WhatsApp and TikTok. It steals data and spreads through infected...

LeakNet Ransomware Escalates: ClickFix Lures and Deno In-Memory Loader
LeakNet Ransomware Escalates: ClickFix Lures and Deno In-Memory Loader

Recent investigations show that LeakNet now delivers malicious “ClickFix” prompts via compromised legitimate websites. This social-engineering trick fools users into...

Fake “Free” Converter Apps Spread Malware: Protect Your Files and Devices
Fake “Free” Converter Apps Spread Malware: Protect Your Files and Devices

The attackers use search ads, spreading malware in the form of “free converter” tools that appear to be legitimate but...

Move Away From Detection With Patented Threat Prevention Built For Today's Challenges.

No one can stop zero-day malware from entering your network, but Xcitium can prevent if from causing any damage. Zero infection. Zero damage.

Book a Demo