Find notable cyber news and cases, enriched with sources, timelines, and signals.

Snow malware suite deployment by UNC6692

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

UNC6692 has deployed the Snow malware suite through social engineering, creating a stealthy path to credential theft and domain compromise. The operation uses email bombing and Microsoft Teams impersonation to trick victims into installing a fake patch. The dropper installs SnowBelt, SnowGlaze, and SnowBasin, which together support persistence, hidden command-and-control, and exfiltration. Post-compromise activity includes SMB/RDP reconnaissance, LSASS dumping, and pass-the-hash movement to domain controllers.

Related Happenings

KongTuke ClickFix and Teams access-seeking campaign

Campaign
H score33 First: 25.06.2026 11:54 Last: 25.06.2026 11:54 Sources 1

About this happening: The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...

Edgecution malicious Microsoft Edge extension backdoor activity

Malware Activity
H score23 First: 24.06.2026 23:58 Last: 24.06.2026 23:58 Sources 1

About this happening: The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...

Mistic backdoor attack activity targeting enterprise sectors since April

Malware Activity
H score33 First: 24.06.2026 13:41 Last: 24.06.2026 13:41 Sources 1

About this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against **insurance, education, IT, and professional services** organizations, giving operators a stealt...

Backdoor.Turn Microsoft Teams TURN relay malware activity

Malware Activity
H score29 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...

Major U.S. services company hit by ransomware attack linked to DragonForce

Incident
H score38 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...

Timeline

  1. 25.04.2026 18:07 2 articles · 2mo ago

    UNC6692 deploys Snow malware via Microsoft Teams

    Initial Disclosure

    UNC6692 uses email bombing to create urgency, then poses as IT helpdesk staff on Microsoft Teams to steer target users toward a fake patch link that drops AutoHotkey scripts and the Snow malware suite. The chain loads SnowBelt in a headless Microsoft Edge instance with scheduled-task and startup-folder persistence, while SnowGlaze establishes a WebSocket tunnel and SOCKS proxy path to mask C2 traffic and SnowBasin executes attacker-supplied CMD or PowerShell commands for remote shell access, file download, screenshot capture, basic file management, and data exfiltration. Post-compromise activity includes SMB and RDP reconnaissance, lateral movement, LSASS memory dumping, pass-the-hash authentication, FTK Imager collection of the Active Directory database plus SYSTEM, SAM, and SECURITY hives, and exfiltration with LimeWire.

    Show sources