Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite
Google Threat Intelligence Group identified a sophisticated intrusion campaign by UNC6692 that combined persistent social engineering with custom malware. The attackers impersonated IT helpdesk personnel via Microsoft Teams, leveraging initial email spam campaigns to create urgency. Victims were tricked into downloading AutoHotKey scripts that installed SNOWBELT, a malicious browser extension establishing persistence through scheduled tasks. The modular SNOW ecosystem enabled deep network penetration: SNOWBELT provided initial access, SNOWGLAZE created encrypted WebSocket tunnels masking traffic as legitimate cloud communications, and SNOWBASIN functioned as a local backdoor for command execution. UNC6692 performed internal reconnaissance, escalated privileges by extracting LSASS memory, and used Pass-The-Hash techniques to access domain controllers. The operation culminated in exfiltration of Active Directory databases and credentials via LimeWire, demonstrating advanced tradecraft abusing legitimate clou...
AI Analysis
Technical Summary
Google Threat Intelligence Group identified an advanced intrusion campaign by UNC6692 that combined persistent social engineering with a modular custom malware suite. Initial access was gained by impersonating IT helpdesk personnel on Microsoft Teams and leveraging email spam to induce victims to download AutoHotKey scripts. These scripts installed SNOWBELT, a malicious browser extension that maintained persistence via scheduled tasks. The malware ecosystem included SNOWGLAZE, which established encrypted WebSocket tunnels to disguise malicious traffic as legitimate cloud communications, and SNOWBASIN, a local backdoor enabling command execution. UNC6692 conducted internal network reconnaissance, escalated privileges by extracting LSASS memory, and employed Pass-The-Hash techniques to compromise domain controllers. The operation ended with exfiltration of Active Directory databases and credentials through LimeWire, indicating sophisticated tradecraft and abuse of legitimate cloud infrastructure.
Potential Impact
This campaign enabled UNC6692 to gain persistent access to targeted networks, perform internal reconnaissance, escalate privileges, and compromise domain controllers. The attackers exfiltrated sensitive Active Directory databases and credentials, potentially allowing long-term unauthorized access and control over affected environments. The use of legitimate tools and cloud communication masking techniques complicates detection and response.
Mitigation Recommendations
No official patch or vendor advisory is available for this threat. Organizations should focus on user awareness training to recognize social engineering attempts, especially impersonation via collaboration platforms like Microsoft Teams. Monitoring for unusual scheduled tasks and suspicious browser extensions can help detect SNOWBELT infections. Implementing strong credential protection measures, including LSASS memory protection and limiting Pass-The-Hash attack vectors, is recommended. Since this is a targeted campaign using custom malware, tailored incident response and threat hunting based on the provided indicators of compromise (hashes and YARA rules) are advised. Patch status is not yet confirmed — check the referenced vendor advisory for updates: https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware
Indicators of Compromise
- hash: 2fa987b9ed6ec6d09c7451abd994249dfaba1c5a7da1c22b8407c461e62f7e49
- hash: 691f7258f212fa8908a8bf06bcf9e027d2177276e13e10ff56bd434ff3755cc4
- hash: 6e6dab993f99505646051d2772701e3c4740096ff9be63c92713bcb7fcddf9f7
- hash: 7f1d71e1e079f3244a69205588d504ed830d4c473747bb1b5c520634cc5a2477
- hash: c8940de8cb917abe158a826a1d08f1083af517351d01642e6c7f324d0bba1eb8
- hash: ca390b86793922555c84abc3b34406da2899382c617f9dcf83a74ac09dd18190
- hash: de200b79ad2bd9db37baeba5e4d183498d450494c71c8929433681e848c3807f
- hash: 726c48860d8d840044dccb3919b773d502a1e60d
- hash: 9c685523fce5e6ad6d6ee4fa02693cefc8c6e102
- hash: d83494bd8a7f816ce39576c776e67c2e9f568080
- yara: d83494bd8a7f816ce39576c776e67c2e9f568080
- yara: 726c48860d8d840044dccb3919b773d502a1e60d
- yara: 9c685523fce5e6ad6d6ee4fa02693cefc8c6e102
Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite
Description
Google Threat Intelligence Group identified a sophisticated intrusion campaign by UNC6692 that combined persistent social engineering with custom malware. The attackers impersonated IT helpdesk personnel via Microsoft Teams, leveraging initial email spam campaigns to create urgency. Victims were tricked into downloading AutoHotKey scripts that installed SNOWBELT, a malicious browser extension establishing persistence through scheduled tasks. The modular SNOW ecosystem enabled deep network penetration: SNOWBELT provided initial access, SNOWGLAZE created encrypted WebSocket tunnels masking traffic as legitimate cloud communications, and SNOWBASIN functioned as a local backdoor for command execution. UNC6692 performed internal reconnaissance, escalated privileges by extracting LSASS memory, and used Pass-The-Hash techniques to access domain controllers. The operation culminated in exfiltration of Active Directory databases and credentials via LimeWire, demonstrating advanced tradecraft abusing legitimate clou...
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Google Threat Intelligence Group identified an advanced intrusion campaign by UNC6692 that combined persistent social engineering with a modular custom malware suite. Initial access was gained by impersonating IT helpdesk personnel on Microsoft Teams and leveraging email spam to induce victims to download AutoHotKey scripts. These scripts installed SNOWBELT, a malicious browser extension that maintained persistence via scheduled tasks. The malware ecosystem included SNOWGLAZE, which established encrypted WebSocket tunnels to disguise malicious traffic as legitimate cloud communications, and SNOWBASIN, a local backdoor enabling command execution. UNC6692 conducted internal network reconnaissance, escalated privileges by extracting LSASS memory, and employed Pass-The-Hash techniques to compromise domain controllers. The operation ended with exfiltration of Active Directory databases and credentials through LimeWire, indicating sophisticated tradecraft and abuse of legitimate cloud infrastructure.
Potential Impact
This campaign enabled UNC6692 to gain persistent access to targeted networks, perform internal reconnaissance, escalate privileges, and compromise domain controllers. The attackers exfiltrated sensitive Active Directory databases and credentials, potentially allowing long-term unauthorized access and control over affected environments. The use of legitimate tools and cloud communication masking techniques complicates detection and response.
Mitigation Recommendations
No official patch or vendor advisory is available for this threat. Organizations should focus on user awareness training to recognize social engineering attempts, especially impersonation via collaboration platforms like Microsoft Teams. Monitoring for unusual scheduled tasks and suspicious browser extensions can help detect SNOWBELT infections. Implementing strong credential protection measures, including LSASS memory protection and limiting Pass-The-Hash attack vectors, is recommended. Since this is a targeted campaign using custom malware, tailored incident response and threat hunting based on the provided indicators of compromise (hashes and YARA rules) are advised. Patch status is not yet confirmed — check the referenced vendor advisory for updates: https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware"]
- Adversary
- UNC6692
- Pulse Id
- 69ea72434c655fab0cee36d8
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash2fa987b9ed6ec6d09c7451abd994249dfaba1c5a7da1c22b8407c461e62f7e49 | — | |
hash691f7258f212fa8908a8bf06bcf9e027d2177276e13e10ff56bd434ff3755cc4 | — | |
hash6e6dab993f99505646051d2772701e3c4740096ff9be63c92713bcb7fcddf9f7 | — | |
hash7f1d71e1e079f3244a69205588d504ed830d4c473747bb1b5c520634cc5a2477 | — | |
hashc8940de8cb917abe158a826a1d08f1083af517351d01642e6c7f324d0bba1eb8 | — | |
hashca390b86793922555c84abc3b34406da2899382c617f9dcf83a74ac09dd18190 | — | |
hashde200b79ad2bd9db37baeba5e4d183498d450494c71c8929433681e848c3807f | — | |
hash726c48860d8d840044dccb3919b773d502a1e60d | — | |
hash9c685523fce5e6ad6d6ee4fa02693cefc8c6e102 | — | |
hashd83494bd8a7f816ce39576c776e67c2e9f568080 | — |
Yara
| Value | Description | Copy |
|---|---|---|
yarad83494bd8a7f816ce39576c776e67c2e9f568080 | — | |
yara726c48860d8d840044dccb3919b773d502a1e60d | — | |
yara9c685523fce5e6ad6d6ee4fa02693cefc8c6e102 | — |
Threat ID: 69eb327b87115cfb680bf745
Added to database: 4/24/2026, 9:06:03 AM
Last enriched: 4/24/2026, 9:21:04 AM
Last updated: 4/25/2026, 5:45:41 AM
Views: 17
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.