ExtraHop named a leader in the Gartner® Magic Quadrant™ for Network Detection and Response

Search
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right

UNC6692 and the SNOW Malware Ecosystem

Share blog icon

Back to top

Back to top

July 7, 2026

Anatomy of an Attack

UNC6692 and the SNOW Malware Ecosystem

Introduction

Threat actors continue to favor social engineering for initial access and traditional email phishing remains a primary method for establishing contact. However, modern adversaries are changing how they use these tactics. Instead of relying on email alone, they chain multiple communication channels together, combining classic phishing with enterprise collaboration platforms to build a deceptive level of trust.

Unit42’s 2025 Global Incident Report highlights this trend. The report revealed that 45% of social engineering attacks involved impersonation of internal personnel to establish credibility. Data from the 2026 Verizon Data Breach Investigations Report (DBIR) bolsters this statistic, stating attackers have achieved moderate success with impersonating helpdesk employees or users needing a password reset.

This tactic succeeds because it weaponizes the routine enterprise tools and daily interactions that users inherently trust. Today, adversaries weaponize emails in tandem with platforms like Microsoft Teams to execute sophisticated "clickfix" scenarios, manufacturing an operational crisis just to offer a fake “patch.”

Case Study: UNC6692's Multi-Stage Campaign

In April 2026, Mandiant detailed a prime example of this multi-stage campaign evolution executed by UNC6692.

  • Distract: The group initiated their intrusion by launching a massive email-bombing campaign to flood a target's inbox, creating immediate administrative friction and user fatigue.
  • Impersonate: While the user struggled to manage the influx of spam, UNC6692 actively intervened via Microsoft Teams. Posing as corporate IT helpdesk personnel, the actors offered a "patch", downloaded via a URL to stop the email bombardment.
  • Deliver: Instead of resolving the issue, interacting with the link triggered a multi-stage deployment pipeline for the SNOW malware ecosystem.

By blending legitimate external chat requests with user-facing disruptions, the adversary easily circumvented traditional email security perimeters. Ultimately, this coordinated chain of events allowed UNC6692 to compromise a domain controller (DC), giving them full control of the organization’s identity infrastructure.

SNOW Malware Operational Overview

The SNOW malware toolkit operates as a pipeline of tools, designed to seamlessly access and support post-compromise activities following the initial breach. The ecosystem consists of three components:

  • SNOWBELT: A malicious Chromium browser extension [T1176] designed to secure the initial foothold on the victim device.
  • SNOWGLAZE: A Python-based tunneling tool that utilizes WebSockets protocol to conceal command-and-control (C2) traffic.
  • SNOWBASIN: A backdoor responsible for executing commands on the compromised host.

UNC6692’s SNOW Campaign Lifecycle

Phase 1: Initial Access

UNC6692 employed a combination of social engineering tactics to overwhelm their target by manufacturing a fake crisis. Once the victim panicked, the attackers gained their trust by stepping in to offer a solution. The actor initiated the attack by orchestrating an email bombing campaign, spamming the target's inbox. While the victim is flooded with emails, the actors reach out to the victim over Microsoft Teams [T1566.002], impersonating helpdesk personnel.

By shifting the communication to a trusted collaboration platform, the actors exploited the victim’s inherent trust in corporate channels. The actors provided the victim with a malicious link [T1204.001], directing them to a Mailbox Repair and Sync Utility. If the user clicked on the “Health Check” button, a fake authentication portal prompted them to enter their credentials multiple times under the guise of verification. This deliberate redundancy helped ensure the stolen credentials were correct. Once the user is “authenticated”, the harvested credentials are exfiltrated to an actor-controlled AWS S3 bucket [T1567.002].

Phase 2: Establishing a Foothold and Staging

Further interaction with the site triggered the download of an AutoHotkey binary [T1059.010] and script from an AWS S3 bucket. Because the files shared identical names, the script executed automatically upon download, bypassing standard user prompts and resulted in the deployment of SNOWBELT, the first payload of the SNOW malware ecosystem.

SNOWBELT, a malicious JavaScript-based browser extension [T1176.001], evades detection by masquerading as a system heartbeat monitoring tool. It serves as an initial foothold on the compromised device. Functionally, SNOWBELT served as an initial staging mechanism, silently downloading [T1105] the remaining components of the intrusion suite, which included SNOWGLAZE, SNOWBASIN, additional AutoHotkey scripts, and a compressed ZIP archive [T1027.015] containing Python-based utilities.

Phase 3: Maintaining Persistence

To ensure long-term access, UNC6692 established persistence across both the browser environment and the underlying Windows operating system. Within the browser, SNOWBELT manipulated the extension registration system and utilized native browser features, specifically Service Worker Alarms and Keep-Alive Tab Injection, to maintain continuous execution whenever the browser remained active.

Simultaneously, SNOWBELT anchored itself within the operating system using native Windows features. A shortcut to an AutoHotkey script is placed within the Windows Startup folder [T1547.001]. This script monitored SNOWBELT and automatically restarted the extension if it was terminated. Additionally, the adversary configured scheduled tasks [T1053.005] to launch SNOWBELT inside a windowless, hidden Microsoft Edge process while systematically clearing active security logs to evade detection.

Phase 4: Network Reconnaissance, Tunneling, and Command Execution

Once the toolkit was staged, the Python scripts initiated local network reconnaissance [T1046] by performing targeted port scans for 135 (RPC), 445 (SMB), and 3389 (RDP) to identify internal lateral movement targets.

To bypass perimeter defenses, SNOWGLAZE establishes a WebSocket Tunnel [T1572] to the actor’s C2 infrastructure. This allows the malicious traffic to blend in with normal web traffic [T1071.001]. SNOWGLAZE supports SOCKS proxy functionality [T1090], allowing the actors to route inbound TCP traffic through the compromised host to hide the actor's true origin. To further conceal operations, UNC6692 hosted their C2 servers on legitimate cloud services like Heroku.

Concurrently, SNOWBASIN operates as a local HTTP server, typically listening on port 8000. It acts as the primary execution arm, allowing the actors to control the compromised host via the Windows Command Shell [T1059.003] and PowerShell [T1059.001]. SNOWBASIN also supports screenshot capture [T1113], file exfiltration, and session termination.

Leveraging the port scanning data, UNC6692 used SNOWGLAZE to initiate a PsExec session [T1021.002] over port 135 to enumerate administrator accounts. While the exact method is unconfirmed, authenticated SMB share enumeration [T1135] is a possible vector for gathering the credentials. Using the harvested administrative credentials, the actors established a RDP session [T1021.001] through the SNOWGLAZE tunnel from the victim host to an internal corporate backup server.

The SNOW tools operate as a cohesive set of installed services. SNOWGLAZE facilitates proxied network communication between the attacker and compromised host. As traffic passes through SNOWGLAZE, SNOWBELT monitors for C2 commands and relays them to SNOWBASIN for execution.

Phase 5: Domain Compromise and Exfiltration

With access to the backup server, the actors dumped the memory of the Local Security Authority Subsystem Service (LSASS) process [T1003.001] using Windows Task Manager. This dump captured cleartext credentials, NTLM password hashes, and Kerberos tickets belonging to administrators who had previously authenticated to the backup system. The sensitive data was exfiltrated via LimeWire [T1041] for offline credential extraction.

Using the extracted credentials, UNC6692 executed a Pass-the-Hash attack [T1550.002] to move laterally from the backup server directly to the active directory DC. On the DC the actors used Microsoft Edge to download a ZIP file containing FTK Imager, a legitimate forensic tool.

By executing FTK Imager on the DC, the attackers bypassed active file system locks on core operating system components, enabling them to copy and compress the entire Active Directory database (NTDS.dit) [T1003.003] alongside the Security Account Manager (SAM), SYSTEM, and SECURITY registry hives. The threat group then exfiltrated these files via LimeWire while simultaneously using SNOWBASIN to capture verification screenshots of the FTK Imager interface and active Edge sessions.

Detect the Behavior: MITRE ATT&CK and ExtraHop Mappings

Loading table...

ExtraHop NDR Detection & Capabilities

The UNC6692 SNOW campaign demonstrates why security teams require a holistic view of their network to detect sophisticated attacks spanning across multiple tactics and devices. Since UNC6692 uses legitimate tools and encrypted tunnels, individual security tools alone struggle to identify an active breach. While EDR remains essential for capturing payload execution, relying solely on endpoint data is not enough. It misses the lateral movement and network clues left behind. To effectively detect and stop threat actor behavior like UNC6692, defenders need a defense-in-depth strategy and behavioral insights that NDRs, like ExtraHop RevealX, provide.

RevealX gives analysts a head start by detecting network behavioral anomalies from the beginning of an attack. Before an agent notices the execution of malicious scripts, the network reveals the actor’s first steps through irregular connections and suspicious payload downloads. Even when UNC6692 tries to hide its tracks by routing C2 through SNOWGLAZE and blending in with normal network traffic, RevealX spots the hidden tunnels and exposes their presence.

Full network visibility is crucial for exposing internal lateral movement and preventing data exfiltration. UNC6692 often used valid credentials and legitimate administrative tools to stealthily move through the network. By continuously monitoring internal traffic, RevealX automatically flags anomalies, separating legitimate activity from malicious behavior.

SNOW does not just touch one aspect of the campaign; it is an intrusion pipeline. With the help of ExtraHop RevealX, defenders can see the pipeline as it moves through the phases of the attack.

Technical Takeaways

  • Collaboration platforms are now part of the phishing attack surface. UNC6692 used email flooding to create urgency, then impersonated IT helpdesk personnel over Microsoft Teams and directed the victim to a fake “local patch” hosted on attacker-controlled AWS S3 infrastructure.
  • The SNOW ecosystem is modular and integrated. SNOWBELT provides the browser-based foothold, SNOWGLAZE enables tunneling and SOCKS proxying, and SNOWBASIN supports backdoor functions such as command execution, screenshots, file handling, and exfiltration.
  • The campaign blends into normal enterprise activity. UNC6692 used Microsoft Teams, Microsoft Edge, AWS S3, Heroku, AutoHotkey, portable Python, PsExec, RDP, FTK Imager, and LimeWire across the intrusion, making behavioral detection more effective than static allow/block logic.
  • Credential theft is central to UNC6692 operations. The actor harvested credentials during initial access, dumped LSASS memory, used extracted hashes for Pass-the-Hash lateral movement, and exfiltrated NTDS.dit plus the SAM, SYSTEM, and SECURITY registry hives from a domain controller.
  • Network telemetry is critical to reconstruct the attack path. The campaign spans browser, endpoint, cloud, identity, and internal network activity, requiring defenders to correlate signals across domains.

Recommended Response

  • Treat collaboration tools as security control points. Restrict Microsoft Teams external access to trusted organizations where possible, apply domain allow/block policies, and require verification workflows for helpdesk interactions.
  • Train users on helpdesk impersonation tactics. Reinforce that legitimate IT support should not ask users to install patches from chat-delivered links or authenticate through unexpected cloud-hosted pages.
  • Monitor cloud-hosted phishing and staging infrastructure. Baseline normal S3 usage and alert on abnormal behaviors, such as unusual S3 object access, unexpected downloads, and endpoints interacting with cloud storage they do not normally use.
  • Restrict and monitor AutoHotKey and portable runtimes. AutoHotKey and portable Python can be legitimate, but they should be tightly controlled on systems where they are not required. Alert on first-seen execution, unusual parent-child relationships, and downloads immediately preceding execution.
  • Audit Chromium browser extensions and headless browser behavior. Hunt for extensions not installed through approved channels, suspicious extension names, and unexpected headless Microsoft Edge processes.
  • Detect tunneling and proxy behavior. Monitor for new WebSocket tunnels, SOCKS proxy connections, and long-lived connections, unusual Heroku or cloud-hosted C2 patterns, and endpoints unexpectedly acting as tunnel endpoints.
  • Watch for internal service scanning. Alert on internal scans of ports 135, 445, and 3389, from devices that are not approved scanners or management systems.
  • Monitor lateral movement pathways. Detect unusual PsExec activity, administrative RDP sessions from atypical hosts, and remote administration activity that follows tunneling, internal scanning, or credential-access events.
  • Protect credentials and domain controllers. Restrict local administrator use, enforce privileged-access controls, monitor LSASS access, and alert on attempts to copy or exfiltrate NTDS.dit, SAM, SYSTEM, and SECURITY hives.
  • Validate exfiltration controls. Monitor for large or unusual outbound transfers to cloud storage, file-sharing platforms such as LimeWire, and unknown external hosts, especially after credential access, archive creation, FTK Imager execution, or domain-controller access.

Resources

Learn More About ExtraHop

The network usually tells the story that logs and endpoints often miss. If you want to see how this works in practice, or if you want to understand how your own environment holds up against a SNOW-style intrusion, there are a few ways we can help:

  • See it in action: We can show how RevealX NDR helps detect behaviors associated with the SNOW campaign, including suspicious cloud access, WebSocket tunneling, and data exfiltration.
  • Check your blind spots: We offer a network security assessment to help identify lateral movement, cloud egress, and suspicious internal traffic your current tools may not be catching.
  • Your experts speak with our experts: If you have specific questions, your team can spend time with ours.

Click HERE to schedule your time with us and learn more about ExtraHop RevealX NDR.

blog image
Blog author
Angela Wilson

Senior Cyber Threat Intelligence Analyst

Angela Wilson is a Senior Cyber Threat Intelligence Analyst with over a decade of experience in the cybersecurity industry. She focuses on transforming complex threat data into strategic intelligence that enhances organizational resilience and informs proactive defense.

Share
LinkedIn logoX logoFacebook logo

Experience RevealX NDR for Yourself

Schedule a demo