A newly identified threat group tracked as UNC6692 is hijacking Microsoft Teams to install a custom malware suite called SNOW.
The campaign relies almost entirely on social engineering, which makes it dangerous because it feels routine to the people who fall for it.
Attackers pose as IT helpdesk staff, exploiting a target’s trust in familiar collaboration tools to walk victims through handing over control of their machine.
The attack begins with a wave of spam emails sent to a target’s inbox, creating chaos and urgency.
Once the victim is overwhelmed, the same attacker reaches out through Microsoft Teams, posing as an IT support agent offering to fix the problem they caused.
This staged setup convinces users to trust a stranger who appears to be solving an issue rather than creating one.
Analysts at ExtraHOP said in a report shared with Cyber Security News (CSN) identified and detailed how this coordinated chain plays out from first contact to full network compromise.
Once a victim accepts the fake Teams invitation, the attacker sends a link claiming to install a patch that stops the spam.
Clicking it downloads a renamed AutoHotkey binary along with a script sharing the same file name, pulled from an attacker controlled cloud bucket.
That download becomes the first stage of the SNOW malware ecosystem, a modular toolkit built to support activity after the breach.
It includes a malicious browser extension, a Python based tunneling tool, and a lightweight local backdoor, each handling a part of the intrusion.
Together they let the attacker maintain a presence long after the phishing message is forgotten.
Once inside, UNC6692 does not rush. The group moves carefully through compromised systems, harvesting credentials, exploring internal networks, and expanding access before doing anything that might trigger alarms.
UNC6692 Hackers Uses Microsoft Teams Helpdesk Impersonation
The impersonation trick is simple but effective because it mirrors real corporate support interactions.
After the spam flood, the attacker contacts the victim through a Teams chat request from an account outside the organization, posing as a helpful colleague.
Many users accept external chat invitations without a second thought, especially when the message promises to fix a problem they already face.
Victims are directed to a phishing page disguised as a mailbox repair and sync utility, complete with a professional interface and a health check button.
That button triggers a login prompt, and the page asks for credentials multiple times under the guise of verification, which helps the stolen data hold up if checked later. The captured logins are then quietly sent to a cloud location controlled by the attacker.
This is the entry point for everything that follows. Once the AutoHotkey script runs, it performs reconnaissance and installs SNOWBELT, a rogue browser extension, by launching Microsoft Edge in a hidden mode using command line settings that skip normal installation checks.
Inside the SNOW Malware Toolkit
SNOW is not a single piece of malware but a layered pipeline built for persistence and stealth.
SNOWBELT operates within the browser and can survive restarts, while a Python based tunneling utility supports SOCKS5 style traffic to route commands through the compromised host, blending in with normal web activity.
A separate local HTTP backdoor gives the attacker a direct channel for issuing commands and pulling data without relying on infrastructure that might get flagged.
The toolkit also supports screenshot capture, file exfiltration, and session termination, giving operators control over how long they stay hidden.
Because the traffic moves through legitimate cloud services and familiar Windows features, standard network monitoring often misses it entirely.
Security teams should watch for unusual browser extension installations, scheduled tasks that launch Edge in headless mode, and unexpected outbound connections to unfamiliar endpoints.
Organizations are advised to restrict external chat permissions on Microsoft Teams to approved contacts and train employees to treat unsolicited helpdesk outreach with caution.
Blocking unapproved file sharing platforms and requiring verification before remote assistance can reduce exposure to this kind of intrusion.
This campaign shows how attackers favor patience and disguise over brute force, turning ordinary workplace habits into an opening for deep compromise.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionFileAutoHotkey binary (renamed, filename matches accompanying script)Delivered from attacker controlled AWS S3 bucket; initiates SNOWBELT installation FileAutoHotkey script (same filename as binary)Executes automatically upon download, bypasses standard user prompts to deploy SNOWBELT File7ZIP Imager toolUsed by threat actor to compress and exfiltrate the entire Active Directory database (NTDS.dit) ToolSNOWBELTMalicious Chromium browser extension component of the SNOW malware ecosystem, installed via headless Microsoft Edge ToolSNOWGLAZEPython based tunneling utility supporting SOCKS5 traffic to conceal command and control communications ToolSNOWBASINLocal HTTP backdoor providing a direct command channel on the compromised host InfrastructureAmazon Web Services S3 bucketAttacker controlled storage used to host and serve the initial malicious AutoHotkey payload InfrastructureCloud storage exfiltration endpointDestination used by SNOWGLAZE to move harvested NTDS.dit data and credentials off the victim network
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.
The post UNC6692 Hackers Uses Microsoft Teams Helpdesk Impersonation to Deploy SNOW Malware appeared first on Cyber Security News.



