Snow malware suite deployment by UNC6692
Malware Activity
Summary
Hide ▲
Show ▼
UNC6692 has deployed the Snow malware suite through social engineering, creating a stealthy path to credential theft and domain compromise. The operation uses email bombing and Microsoft Teams impersonation to trick victims into installing a fake patch. The dropper installs SnowBelt, SnowGlaze, and SnowBasin, which together support persistence, hidden command-and-control, and exfiltration. Post-compromise activity includes SMB/RDP reconnaissance, LSASS dumping, and pass-the-hash movement to domain controllers.
Related Happenings
KongTuke ClickFix and Teams access-seeking campaign
Campaign
H score33
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
KongTuke ClickFix and Teams access-seeking campaign
CampaignAbout this happening: The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
Edgecution malicious Microsoft Edge extension backdoor activity
Malware Activity
H score23
First: 24.06.2026 23:58
Last: 24.06.2026 23:58
Sources 1
About this happening:
The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...
Edgecution malicious Microsoft Edge extension backdoor activity
Malware ActivityAbout this happening: The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...
Mistic backdoor attack activity targeting enterprise sectors since April
Malware Activity
H score33
First: 24.06.2026 13:41
Last: 24.06.2026 13:41
Sources 1
About this happening:
The **Mistic** backdoor is being used in **financially motivated attacks** against **insurance, education, IT, and professional services** organizations, giving operators a stealt...
Mistic backdoor attack activity targeting enterprise sectors since April
Malware ActivityAbout this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against **insurance, education, IT, and professional services** organizations, giving operators a stealt...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware Activity
H score29
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
**Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware ActivityAbout this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Timeline
-
25.04.2026 18:07 2 articles · 2mo ago
UNC6692 deploys Snow malware via Microsoft Teams
Initial DisclosureUNC6692 uses email bombing to create urgency, then poses as IT helpdesk staff on Microsoft Teams to steer target users toward a fake patch link that drops AutoHotkey scripts and the Snow malware suite. The chain loads SnowBelt in a headless Microsoft Edge instance with scheduled-task and startup-folder persistence, while SnowGlaze establishes a WebSocket tunnel and SOCKS proxy path to mask C2 traffic and SnowBasin executes attacker-supplied CMD or PowerShell commands for remote shell access, file download, screenshot capture, basic file management, and data exfiltration. Post-compromise activity includes SMB and RDP reconnaissance, lateral movement, LSASS memory dumping, pass-the-hash authentication, FTK Imager collection of the Active Directory database plus SYSTEM, SAM, and SECURITY hives, and exfiltration with LimeWire.
Show sources
- Threat actor uses Microsoft Teams to deploy new “Snow” malware — www.bleepingcomputer.com — 25.04.2026 18:07
- Threat actor uses Microsoft Teams to deploy new “Snow” malware — www.bleepingcomputer.com — 25.04.2026 18:07