UNC6692 Uses Microsoft Teams to Deploy SNOW Malware
🔒 Mandiant attributes a newly documented cluster, UNC6692, with social-engineering campaigns via Microsoft Teams that coerce victims into installing malicious software and browser extensions. The actor leverages large-scale email-bombing to create urgency, then impersonates IT helpdesk staff to deliver an AutoHotkey-based installer hosted on attacker-controlled AWS S3. That installer loads the SNOW malware family — including SNOWBELT, SNOWGLAZE, and SNOWBASIN — enabling credential theft, tunneling, lateral movement, and data exfiltration.
