A threat group using Microsoft Teams and urgency tricks deployed a new “Snow” malware suite for credential theft, tunneling, and data exfiltration after network compromise.
Cybersecurity teams are seeing a familiar pattern with a new twist: instead of landing malware through flashy downloads, a threat group tracked as UNC6692 is leaning on Microsoft Teams to push victims toward a malicious “patch.”
The “Snow” toolset—built from a browser extension, a tunneler, and a backdoor—shows how attackers are turning everyday collaboration workflows into delivery channels, then using that access to steal credentials and take control of domains.
UNC6692’s method starts with social engineering designed to squeeze the victim’s decision-making timeline.. The campaign uses “email bombing” tactics to create urgency and then contacts targets via Microsoft Teams, impersonating IT helpdesk agents.. When a user clicks a link, they’re prompted to install a supposed patch intended to stop email spam.. Behind the scenes. the “Snow” infection chain delivers a dropper that runs AutoHotkey scripts and ultimately loads “SnowBelt. ” a malicious Chrome extension.
What makes this more troubling than a basic phishing attachment is how the execution is staged.. The payload runs on a headless Microsoft Edge instance. which reduces visible activity and can help the victim miss the moment the malicious browser extension is installed.. At the same time. the attacker sets up persistence using scheduled tasks and a startup folder shortcut—classic techniques that help the backdoor survive reboots and remain ready for further instructions.
# A delivery trick built for speed. not silence
Once the infection is in place, SnowBelt acts as both persistence and a relay layer for operator commands.. Those commands travel through a tunneler component called SnowGlaze. which establishes a WebSocket tunnel to mask communications between the infected machine and the command-and-control infrastructure.. SnowGlaze can also act as a SOCKS proxy, enabling the operator to route arbitrary TCP traffic through the compromised host.
That networking design matters because it turns a single endpoint into a controllable pivot point.. Even if defenders spot outbound malware traffic quickly. attackers may still benefit from “blended” connectivity patterns and the ability to route traffic internally without direct exposure of their infrastructure.
# From one victim to domain-level access
But the real risk emerges after the initial foothold.. After compromise, UNC6692 performs internal reconnaissance, scanning for services like SMB and RDP to find more targets.. It then moves laterally across the network.. Credential theft is central to that phase: the attackers dumped LSASS memory to harvest credential material and used pass-the-hash techniques to authenticate to additional systems.. From there, they reached domain controllers.
At the final stage. the group deployed FTK Imager to extract the Active Directory database along with SYSTEM. SAM. and SECURITY registry hives.. Those files were then exfiltrated from the network using LimeWire—an unusual channel choice that underlines a key point: attackers will use whatever path they believe will blend into activity or delay detection.
# Why “Teams delivery” is a warning sign
There’s also a practical human impact here.. Employees become the last gate in a chain that can quickly turn into full domain compromise.. The difference between a cautious click and an impulsive “fix it now” decision can determine whether attackers stop at an endpoint—or escalate into credential compromise and domain-level access.
Looking forward. the “Snow” suite illustrates how modern malware is increasingly modular: one component handles browser-level persistence. another handles tunneling and proxying. and the backdoor handles command execution and operator workflows.. Defenders should treat these as interconnected behaviors rather than isolated artifacts. because the most damaging intrusions combine social engineering. stealth execution. persistence. and lateral movement into one continuous operation.
Cyber hygiene will still matter. but it will need to be paired with stronger verification of urgent IT communications and more rigorous monitoring for credential access patterns and domain controller targeting.. In the meantime. campaigns like this are a reminder: even familiar apps can be weaponized. and the “help” message is often where the attack really begins.