# UNC6692 Deploys Multi-Component "Snow" Malware via Microsoft Teams Social Engineering


A sophisticated threat actor tracked as UNC6692 is actively deploying a custom malware suite called "Snow" using Microsoft Teams-based social engineering attacks. The campaign demonstrates how attackers continue to exploit popular collaboration platforms as vectors for initial access, combining social manipulation with novel malware components designed to maintain persistent access and enable reconnaissance.


## The Threat


Security researchers have identified UNC6692 conducting targeted social engineering campaigns that leverage Microsoft Teams to distribute the Snow malware suite. The group uses deceptive messaging—often impersonating legitimate contacts or authority figures—to trick users into downloading and executing malicious files. Once deployed, Snow establishes a multi-layered compromise that gives attackers extensive control over victim systems.


The threat actor demonstrates sophisticated operational security practices, suggesting previous experience in high-value targeting. The use of custom-developed malware rather than off-the-shelf tools indicates resource and expertise investment in avoiding detection by standard antivirus and endpoint detection and response (EDR) solutions.


## Background and Context


Microsoft Teams has emerged as a high-value target for initial access brokers and intrusion operators. As one of the world's most widely deployed workplace collaboration platforms with over 300 million monthly active users, Teams offers attackers several advantages:


  • High trust factor: Users are accustomed to receiving files and links through Teams
  • Organizational presence: Legitimate business communications occur on Teams, making malicious messages blend in
  • Cross-platform functionality: Teams works on Windows, macOS, Linux, iOS, and Android
  • Integration depth: Teams connects to OneDrive, SharePoint, and other corporate systems

    • UNC6692 is a previously lesser-known threat cluster, suggesting the group may be a splinter faction from a larger operation or a newly organized team with acquired capabilities. Their investment in custom malware development indicates they are targeting specific industries or high-value organizations where commodity malware would be ineffective or too easily detected.


    ## Technical Details: The Snow Malware Suite


    The Snow suite comprises three distinct components that work in concert to establish and maintain persistence:


    ### Browser Extension

    The browser extension component targets popular browsers including Chrome and Edge. Once installed, the extension can:


  • Intercept network traffic from the browser, allowing attackers to monitor user activity and communications
  • Capture credentials from login forms and stored passwords
  • Inject malicious scripts into websites visited by the user
  • Enable MITM (Man-in-the-Middle) attacks on encrypted connections

    • Browser extensions operate with elevated privileges relative to standard web traffic, making them particularly effective for credential harvesting and network surveillance.


    ### Network Tunneler

    The tunneling component establishes encrypted communication channels between the compromised system and attacker infrastructure. This functionality enables:


  • Outbound tunnel creation that bypasses standard firewall rules and detection mechanisms
  • Encrypted communications that hide command-and-control (C2) traffic from network monitoring tools
  • Protocol obfuscation to disguise malicious traffic as legitimate business communications
  • Multi-hop proxying that routes commands through compromised systems to reach isolated networks

    • The tunneler is particularly dangerous in enterprise environments where network segmentation is in place, as it can help attackers pivot laterally across isolated zones.


    ### Backdoor Component

    The backdoor provides remote access capabilities allowing attackers to:


  • Execute arbitrary commands on the compromised system with the privileges of the logged-in user
  • Download and execute additional malware for follow-on exploitation
  • Exfiltrate files from the system and connected network shares
  • Maintain persistence across system reboots through multiple mechanisms

    • The backdoor likely includes anti-analysis features designed to detect and avoid execution within sandboxed analysis environments, hindering security researchers' ability to study its behavior.


    ## Attack Chain and Infection Mechanics


    The typical infection sequence unfolds as follows:


    1. Social Engineering: Attacker sends message via Teams impersonating a trusted contact or IT department

    2. Payload Delivery: User is prompted to download a file (often disguised as a document, installer, or update)

    3. Execution: User runs the downloaded file, triggering the infection chain

    4. Persistence: Snow components establish themselves across the browser, system processes, and scheduled tasks

    5. Reconnaissance: Malware collects system information, user credentials, and network topology data

    6. Secondary Payload: Attackers evaluate the compromised asset and deploy additional tools as needed


    ## Implications for Organizations


    Organizations face several material risks from Snow deployments:


    | Risk | Impact | Severity |

    |------|--------|----------|

    | Credential Compromise | Attackers gain access to domain credentials, enabling lateral movement | Critical |

    | Data Exfiltration | Sensitive documents, emails, and intellectual property stolen | Critical |

    | Lateral Movement | Pivoting to additional systems through network tunneling | High |

    | Supply Chain Risk | Compromised employee accounts used to target customers and partners | High |

    | Compliance Violations | Data breaches trigger regulatory notification requirements | High |

    | Business Disruption | Ransomware or destructive malware deployed post-reconnaissance | High |


    Attack Duration: Organizations typically remain unaware of Snow infections for weeks or months, allowing attackers to conduct extensive reconnaissance before deploying high-impact payloads like ransomware or data wipers.


    ## Recommendations


    ### Immediate Actions


  • Block the Malware: Work with your security vendor to obtain indicators of compromise (IOCs) including file hashes, C2 domains, and URLs
  • Threat Hunt: Search logs and endpoint telemetry for evidence of Snow components or unusual Teams activity
  • Disable Suspicious Accounts: If compromised Teams accounts are identified, disable them immediately
  • Review Recent Downloads: Audit systems for suspicious files downloaded through Teams in the past 90 days

    • ### Technical Controls


  • Browser Extension Auditing: Review installed browser extensions on all endpoints; whitelist approved extensions and block unauthorized ones
  • Process Whitelisting: Implement application whitelisting to restrict execution to known-good processes
  • Network Segmentation: Isolate critical systems and sensitive data behind firewall rules that block unusual outbound connections
  • EDR Deployment: Deploy endpoint detection and response tools configured to detect living-off-the-land attacks and unusual process behavior

    • ### Awareness and Training


  • Phishing Training: Conduct targeted security awareness training on Teams-specific social engineering tactics
  • Verification Procedures: Establish and enforce procedures for verifying the identity of contacts before downloading files
  • Reporting Mechanisms: Create clear channels for users to report suspicious Teams messages

    • ### Detection and Monitoring


  • Teams Activity Logging: Enable and monitor Teams audit logs for unusual file sharing patterns or external user additions
  • DNS Monitoring: Monitor DNS queries for resolution attempts to known malicious domains
  • Credential Monitoring: Use password managers and credential monitoring tools to detect unauthorized password changes
  • Behavioral Analytics: Deploy tools that detect unusual user or system behavior patterns

    • ## Conclusion


    The Snow malware campaign represents an evolution in how threat actors exploit trusted communication platforms to gain initial access to enterprise networks. By combining social engineering with sophisticated custom malware, UNC6692 demonstrates a level of operational maturity that should concern security teams across all industries.


    Organizations must assume that determined attackers will eventually deliver a malicious file to at least one user. The focus should shift to rapid detection and containment, supported by robust threat hunting and forensic investigation capabilities. In the current threat landscape, comprehensive endpoint protection combined with user awareness training remains essential for mitigating the risk posed by campaigns like Snow.