← All stories

The Hacker News

UNC6692 Impersonates IT Help Desk via Microsoft Teams to Deploy SNOW Malware

[email protected] (The Hacker News) · 2026-04-23 · Read original ↗

ATT&CK techniques detected

18 predictions

T1684.001Impersonation

96%

“unc6692 impersonates it help desk via microsoft teams to deploy snow malware a previously undocumented threat activity cluster known as unc6692 has been observed leveraging social engineering tactics via microsoft teams to deploy a custom malware suite on compromised hosts. " as …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1021.006Windows Remote Management

95%

“remote management ( winrm ), allowing threat actors to pivot toward high - value assets including domain controllers, " the tech giant said. " in observed intrusions, follow - on commercial remote management software and data transfer utilities such as rclone were used to expand …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.004Spearphishing Voice

83%

“by former black basta affiliates. despite the group shutting down its ransomware operations early last year, the playbook has witnessed no signs of slowing down. in a report published last week, reliaquest revealed that the approach is being used to target executives and senior -…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1021.006Windows Remote Management

81%

“powershell execution followed by a websocket backdoor, " the cybersecurity company said. " defenders should treat collaboration tools as first - class attack surfaces by enforcing help desk verification workflows, tightening external teams and screen - sharing controls, and harde…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

71%

“by former black basta affiliates. despite the group shutting down its ransomware operations early last year, the playbook has witnessed no signs of slowing down. in a report published last week, reliaquest revealed that the approach is being used to target executives and senior -…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.004Spearphishing Voice

64%

“downloads folder, and exfiltrate it using the limewire file upload tool. " the unc6692 campaign demonstrates an interesting evolution in tactics, particularly the use of social engineering, custom malware, and a malicious browser extension, playing on the victim ' s inherent trus…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1667Email Bombing

60%

“unc6692 impersonates it help desk via microsoft teams to deploy snow malware a previously undocumented threat activity cluster known as unc6692 has been observed leveraging social engineering tactics via microsoft teams to deploy a custom malware suite on compromised hosts. " as …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1071Application Layer Protocol

58%

“snowbelt extension, unc6692 downloaded additional files including snowglaze, snowbasin, autohotkey scripts, and a zip archive containing a portable python executable and required libraries. " the phishing page is also designed to serve a configuration management panel with a prom…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

52%

“powershell execution followed by a websocket backdoor, " the cybersecurity company said. " defenders should treat collaboration tools as first - class attack surfaces by enforcing help desk verification workflows, tightening external teams and screen - sharing controls, and harde…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.002Spearphishing Link

46%

“by former black basta affiliates. despite the group shutting down its ransomware operations early last year, the playbook has witnessed no signs of slowing down. in a report published last week, reliaquest revealed that the approach is being used to target executives and senior -…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1204.002Malicious File

45%

“on the other hand, deviates from this approach as the victim is instructed to click on a phishing link shared via teams chat to install a local patch to remediate the spam issue. once it ' s clicked, it leads to the download of an autohotkey script from a threat actor - controlle…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.004Spearphishing Voice

44%

“unc6692 impersonates it help desk via microsoft teams to deploy snow malware a previously undocumented threat activity cluster known as unc6692 has been observed leveraging social engineering tactics via microsoft teams to deploy a custom malware suite on compromised hosts. " as …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1598.004Spearphishing Voice

37%

“downloads folder, and exfiltrate it using the limewire file upload tool. " the unc6692 campaign demonstrates an interesting evolution in tactics, particularly the use of social engineering, custom malware, and a malicious browser extension, playing on the victim ' s inherent trus…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1003.001LSASS Memory

36%

“exe " or " powershell. exe, " screenshot capture, file upload / download, and self - termination. it runs as a local http server on ports 8000, 8001, or 8002. some of the other post - exploitation actions carried out by unc6692 after gaining initial access are as follows - - use …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1021.001Remote Desktop Protocol

36%

“exe " or " powershell. exe, " screenshot capture, file upload / download, and self - termination. it runs as a local http server on ports 8000, 8001, or 8002. some of the other post - exploitation actions carried out by unc6692 after gaining initial access are as follows - - use …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1059.001PowerShell

35%

“powershell execution followed by a websocket backdoor, " the cybersecurity company said. " defenders should treat collaboration tools as first - class attack surfaces by enforcing help desk verification workflows, tightening external teams and screen - sharing controls, and harde…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1586.002Email Accounts

33%

“unc6692 impersonates it help desk via microsoft teams to deploy snow malware a previously undocumented threat activity cluster known as unc6692 has been observed leveraging social engineering tactics via microsoft teams to deploy a custom malware suite on compromised hosts. " as …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.003Spearphishing via Service

32%

“unc6692 impersonates it help desk via microsoft teams to deploy snow malware a previously undocumented threat activity cluster known as unc6692 has been observed leveraging social engineering tactics via microsoft teams to deploy a custom malware suite on compromised hosts. " as …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

A previously undocumented threat activity cluster known as UNC6692 has been observed leveraging social engineering tactics via Microsoft Teams to deploy a custom malware suite on compromised hosts. "As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT help desk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account