UNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ Malware
The UNC6692 threat actor uses email bombing and social engineering tactics to deploy the modular Snow malware family, including Snowbelt, Snowglaze, and Snowbasin, to gain persistent access to victim networks. The attack begins with overwhelming victims with emails and impersonating IT support via Microsoft Teams to trick victims into visiting a phishing page that harvests credentials and installs malware. Snowbelt operates as a Chromium browser extension backdoor, Snowglaze establishes a secure tunnel for lateral movement, and Snowbasin acts as a persistent local backdoor. The malware enables credential harvesting, lateral movement, and data exfiltration, including dumping LSASS memory and Active Directory data. The campaign leverages trusted cloud platforms to host malicious payloads, aiding evasion of traditional defenses. No patch or official remediation is indicated in the source content. The threat is assessed as medium severity based on the described impact and attack complexity.
AI Analysis
Technical Summary
UNC6692 employs a multi-stage attack starting with email bombing and social engineering to lure victims into executing malicious code via a fake mailbox repair phishing page. This leads to the installation of the Snow malware family: Snowbelt (a Chromium extension backdoor), Snowglaze (a Python-based tunneler for secure C2 communication and lateral movement), and Snowbasin (a persistent local HTTP backdoor). The malware facilitates credential harvesting through fake authentication prompts and enables lateral movement using tools like PsExec and RDP sessions. UNC6692 extracts sensitive credentials and Active Directory data by dumping LSASS memory and SAM/registry hives, exfiltrating data via LimeWire. The campaign uses cloud-hosted infrastructure (AWS S3) to evade detection. The attack chain demonstrates a blend of social engineering and technical evasion to maintain persistent access and conduct reconnaissance within victim networks.
Potential Impact
The threat actor gains persistent access to victim environments, enabling credential harvesting, lateral movement, privilege escalation, and sensitive data exfiltration including Active Directory databases and user credentials. The use of trusted cloud services for hosting malware components helps evade traditional network defenses. The campaign can compromise internal network security and potentially lead to further exploitation or data breaches. No direct evidence of widespread exploitation or zero-day vulnerabilities is reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should be aware of the social engineering tactics used, including email bombing and impersonation of IT support, and educate users accordingly. Monitoring for unusual scheduled tasks, unauthorized browser extensions, and suspicious network tunnels may help detect infection. Since no official fix or patch is indicated, defensive measures should focus on user awareness and detection of the described malware behaviors.
UNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ Malware
Description
The UNC6692 threat actor uses email bombing and social engineering tactics to deploy the modular Snow malware family, including Snowbelt, Snowglaze, and Snowbasin, to gain persistent access to victim networks. The attack begins with overwhelming victims with emails and impersonating IT support via Microsoft Teams to trick victims into visiting a phishing page that harvests credentials and installs malware. Snowbelt operates as a Chromium browser extension backdoor, Snowglaze establishes a secure tunnel for lateral movement, and Snowbasin acts as a persistent local backdoor. The malware enables credential harvesting, lateral movement, and data exfiltration, including dumping LSASS memory and Active Directory data. The campaign leverages trusted cloud platforms to host malicious payloads, aiding evasion of traditional defenses. No patch or official remediation is indicated in the source content. The threat is assessed as medium severity based on the described impact and attack complexity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
UNC6692 employs a multi-stage attack starting with email bombing and social engineering to lure victims into executing malicious code via a fake mailbox repair phishing page. This leads to the installation of the Snow malware family: Snowbelt (a Chromium extension backdoor), Snowglaze (a Python-based tunneler for secure C2 communication and lateral movement), and Snowbasin (a persistent local HTTP backdoor). The malware facilitates credential harvesting through fake authentication prompts and enables lateral movement using tools like PsExec and RDP sessions. UNC6692 extracts sensitive credentials and Active Directory data by dumping LSASS memory and SAM/registry hives, exfiltrating data via LimeWire. The campaign uses cloud-hosted infrastructure (AWS S3) to evade detection. The attack chain demonstrates a blend of social engineering and technical evasion to maintain persistent access and conduct reconnaissance within victim networks.
Potential Impact
The threat actor gains persistent access to victim environments, enabling credential harvesting, lateral movement, privilege escalation, and sensitive data exfiltration including Active Directory databases and user credentials. The use of trusted cloud services for hosting malware components helps evade traditional network defenses. The campaign can compromise internal network security and potentially lead to further exploitation or data breaches. No direct evidence of widespread exploitation or zero-day vulnerabilities is reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should be aware of the social engineering tactics used, including email bombing and impersonation of IT support, and educate users accordingly. Monitoring for unusual scheduled tasks, unauthorized browser extensions, and suspicious network tunnels may help detect infection. Since no official fix or patch is indicated, defensive measures should focus on user awareness and detection of the described malware behaviors.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/unc6692-uses-email-bombing-social-engineering-to-deploy-snow-malware/","fetched":true,"fetchedAt":"2026-04-27T10:45:05.150Z","wordCount":1247}
Threat ID: 69ef3e31ba26a39fba195bf5
Added to database: 4/27/2026, 10:45:05 AM
Last enriched: 4/27/2026, 10:45:13 AM
Last updated: 4/28/2026, 1:45:07 AM
Views: 19
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.