When a Teams ping looks like routine IT help but unfolds into a silent domain takeover, the line between collaboration and compromise vanishes under the weight of social engineering, trusted clouds, and frictionless user experience that together enable high-impact breaches without tripping classic exploit alarms. A newly identified threat actor, UNC6692, turned that tension into a blueprint, weaponizing Microsoft Teams impersonation and a custom modular malware suite while leaning on reputable cloud platforms to hide in plain sight. The campaign, disclosed on April 22, 2026 by Google Threat Intelligence Group and Mandiant, showed how attackers can gain domain-level control by guiding users past visible warnings, never needing a single zero-day or unpatched flaw to succeed.
1: What Happened
Investigators attributed a multistage intrusion campaign to UNC6692 that hinged on identity deception rather than code execution tricks. The group impersonated IT helpdesk staff inside Microsoft Teams to seed a tailored “repair” flow, then dropped a modular malware framework dubbed “SNOW” to expand access. Disclosure on April 22, 2026 detailed how the attackers abused normal enterprise tooling and cloud services, avoiding exploits entirely. Instead of targeting software, they targeted habits: accepting external chats, clicking “continue anyway,” and trusting UI language that felt familiar. The operation blended into encrypted traffic from AWS S3 and Heroku, frustrating blocklists and domain reputation controls.
2: Initial Social Engineering Playbook
The opening gambit aligned stress with opportunity. First came Inbox Flood, a mass email deluge delivered in late December that manufactured urgency, distraction, and support fatigue. With inboxes noisy, Helpdesk Impersonation on Teams began: a message from an apparent IT staffer offering relief. Next, Warning Bypass Persuasion nudged targets to override multiple Teams prompts about external tenants. Finally, External Chat Acceptance sealed the social contract, granting an outside account a foothold. Each step exploited the cadence of enterprise life—ticket queues, emergency triage, escalations—only this time the “fix” arrived over chat, not a service desk portal with strong guardrails.
3: Infection Chain: From Teams Chat to Full Compromise
Once trust was secured, the attacker sent a link to a faux “local patch,” landing victims on a “Mailbox Repair and Sync Utility v2.1.5” page hosted on an attacker-controlled AWS S3 bucket. The pipeline unfolded in four moves. Environment Screening enforced a required ?email= parameter and launched Microsoft Edge via the microsoft-edge: URI. Credential Capture followed, using a staged “Health Check” with two deliberate login failures to ensure typo-free passwords before exfiltration to S3. A Diversion Routine masked theft with a progress bar showing “Parsing configuration data.” Payload Setup then fetched AutoHotkey (RegSrvc.exe) and Protected.ahk to install SNOWBELT, a malicious Chromium extension disguised as “MS Heartbeat.”
4: The SNOW Malware Ecosystem
The SNOW framework bound three coordinated components. SNOWBELT — Browser Add-on established the initial foothold, receiving C2 instructions through DGA-derived S3 URLs and anchoring persistence. SNOWGLAZE — WebSocket Relay, a Python tunneler, created a SOCKS proxy path to a Heroku-hosted C2 over WebSockets, blending seamlessly with encrypted traffic. SNOWBASIN — Local Task Server exposed a Python HTTP service on port 8000 to run shell commands, capture screenshots, and shuttle files. Persistence stacked redundancy: a Startup folder shortcut, two scheduled tasks, and a headless Edge instance auto-loading the extension. SNOWGLAZE wrapped data in Base64-encoded JSON, further obscuring inspection.
5: Post-Compromise Actions
With the beachhead in place, UNC6692 pivoted methodically. Internal Survey kicked off via a Python script run through SNOWBASIN, scanning for ports 135, 445, and 3389 to map remote management surfaces. Pivoting via Tunneling used PsExec across the SNOWGLAZE path to enumerate local admins and open an RDP session into a backup server. Credential Dumping came next: LSASS memory was captured through Task Manager and moved out over LimeWire. Hash-Only Authentication followed offline extraction, enabling Pass-the-Hash into domain controllers. Domain Takeover Artifacts were then acquired by downloading FTK Imager, mounting the local drive, and extracting NTDS.dit plus SAM, SYSTEM, and SECURITY hives.
6: Infrastructure and Tradecraft
The standout trait was disciplined reliance on reputable clouds. Payloads, staging, and even C2 rode over AWS S3 with DGA-style bucket naming, while Heroku hosted the WebSocket endpoint that carried command traffic. This “living off the cloud” approach diminished signal in a sea of permissible TLS sessions and thwarted coarse controls based on IPs or ASN reputation. The tactic also exploited default trust in developer and storage ecosystems used daily by defenders themselves. By wrapping C2 in WebSockets and encoding payloads as Base64-JSON, UNC6692 reduced telemetry uniqueness, pushing detection toward deeper content inspection, extension oversight, and browser process analytics rather than perimeter filters.
7: Defense Guidance
Organizations can undercut this playbook by tightening Microsoft Teams external access, limiting cross-tenant chats by default, and enforcing approval workflows with verified IT identities. Browser oversight should expand to inventory and monitor extensions, flag headless Edge instances, and alert on persistence artifacts tied to startup shortcuts or scheduled tasks. Cloud egress monitoring must examine outbound S3 patterns, WebSocket destinations, and regional anomalies, correlating with DGA-like bucket activity. Harden credential surfaces with LSASS protection, Credential Guard, constrained admin rights, and blocked memory tools. Control lateral movement by gating PsExec and RDP, enabling Just-in-Time access, and logging remote sessions with explicit alerting on unusual service creation paths.
8: Indicators of Compromise (IOCs)
Concrete signals can accelerate triage. Phishing URL Pattern: https://service-page-[ID]-outlook.s3.us-west-2.amazonaws.com/update.html?email=. C2 Server: wss://sad4w7h913-b4a57f9c36eb.herokuapp.com:443/ws (defang as needed). SNOWBELT C2 URL Pattern: https://[a-f0-9]{24}-[0-9]{6,7}-[0-9]{1}.s3.us-east-2.amazonaws.com. SNOWBELT VAPID Key: BJkWCT45mL0uvV3AssRaq9Gn7iE2N7Lx38ZmWDFCjwhz0zv0QSVhKuZBLTTgAijB12cgzMzqyiJZr5tokRzSJu0. Masquerading Files included RegSrvc.exe (AutoHotkey binary), Protected.ahk, and the SysEvents directory holding the extension. Also watch for Edge launched with extension load flags, Base64-JSON WebSocket bursts to Heroku, and scheduled tasks referencing user profile AppData paths tied to AutoHotkey.
9: Why This Matters Now
UNC6692 underscored that trust abuse in everyday tools can eclipse the risk of unpatched flaws, and a credible chat can outpace a critical CVE. The path forward demanded controls that assumed adversaries would look legitimate: locked-down external collaboration in Teams, real-time visibility into extensions and headless browser behavior, and cloud egress analytics tuned to WebSocket C2 and DGA-like S3 patterns. Security teams also benefited from workflow guardrails—verified IT contact methods, service desk-only remediation, and user training calibrated to post-disruption lures. By pairing identity-centric hardening with deep browser and cloud telemetry, defenders gained ground against campaigns that hid in sanctioned traffic and turned assistance into access.
