TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The Register Security

Crime crew impersonates help desk, abuses Microsoft Teams to steal your data

Jessica Lyons · 2026-04-25 · Read original ↗

ATT&CK techniques detected

10 predictions
T1684.001Impersonation
96%
“crime crew impersonates help desk, abuses microsoft teams to steal your data crime crew impersonates help desk, abuses microsoft teams to steal your data coming in cold with custom snow malware a previously unknown threat group using tried - and - tested social engineering tactic…”
T1071.001Web Protocols
94%
“web store - only via social engineering tactics. ) snow malware unc6692 uses the snowbelt extension to download its other custom " snow " named malware, along with additional autohotkey scripts, and a zip archive containing a portable python executable and required libraries. the…”
T1555.003Credentials from Web Browsers
85%
“. the credential - harvest script also uses a sneaky " double - entry " psychological trick that auto - rejects the first and second password attempts as incorrect. " this serves two functions : it reinforces the user ' s belief that the system is legitimate and performs real - t…”
T1566.004Spearphishing Voice
68%
“crime crew impersonates help desk, abuses microsoft teams to steal your data crime crew impersonates help desk, abuses microsoft teams to steal your data coming in cold with custom snow malware a previously unknown threat group using tried - and - tested social engineering tactic…”
T1566.002Spearphishing Link
68%
“crime crew impersonates help desk, abuses microsoft teams to steal your data crime crew impersonates help desk, abuses microsoft teams to steal your data coming in cold with custom snow malware a previously unknown threat group using tried - and - tested social engineering tactic…”
T1566.001Spearphishing Attachment
67%
“. the credential - harvest script also uses a sneaky " double - entry " psychological trick that auto - rejects the first and second password attempts as incorrect. " this serves two functions : it reinforces the user ' s belief that the system is legitimate and performs real - t…”
T1667Email Bombing
61%
“crime crew impersonates help desk, abuses microsoft teams to steal your data crime crew impersonates help desk, abuses microsoft teams to steal your data coming in cold with custom snow malware a previously unknown threat group using tried - and - tested social engineering tactic…”
T1566.002Spearphishing Link
60%
“. the credential - harvest script also uses a sneaky " double - entry " psychological trick that auto - rejects the first and second password attempts as incorrect. " this serves two functions : it reinforces the user ' s belief that the system is legitimate and performs real - t…”
T1071.001Web Protocols
59%
“##son objects and base64 encoding it for transfer via websockets, which makes it look like legitimate, standard encrypted web traffic. finally, snowbasin is a python bindshell providing interactive control over the infected system. it serves as a persistent backdoor, operating as…”
T1566.002Spearphishing Link
33%
“relays the results back through the same pipeline to the attacker. " these types of interactive social engineering tactics have proven very profitable for cybercrime groups like shinyhunters and scattered lapsus $ hunters. google analysts, however, told the register that there ' …”

Summary

Coming in cold with custom Snow malware

A previously unknown threat group using tried-and-tested social engineering tactics - Microsoft Teams chat invitations and helpdesk staff impersonation - is also using custom malware in its data-stealing attacks, according to Google's Threat Intelligence Group.…