Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Snow malware suite deployment by UNC6692

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

UNC6692 has deployed the Snow malware suite through social engineering, creating a stealthy path to credential theft and domain compromise. The operation uses email bombing and Microsoft Teams impersonation to trick victims into installing a fake patch. The dropper installs SnowBelt, SnowGlaze, and SnowBasin, which together support persistence, hidden command-and-control, and exfiltration. Post-compromise activity includes SMB/RDP reconnaissance, LSASS dumping, and pass-the-hash movement to domain controllers.

Related Happenings

KongTuke Microsoft Teams initial access campaign

Campaign
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...

Open Happening

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

Open Happening

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...

Open Happening

ACSC ClickFix mitigation guidance for Vidar Stealer

Advisory/Mitigation
First: 07.05.2026 21:00 Last: 07.05.2026 21:00 Sources 1

About this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...

Open Happening

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

Timeline

  1. 25.04.2026 18:07 2 articles · 1mo ago

    UNC6692 deploys Snow malware via Microsoft Teams

    Initial Disclosure

    UNC6692 uses email bombing to create urgency, then poses as IT helpdesk staff on Microsoft Teams to steer target users toward a fake patch link that drops AutoHotkey scripts and the Snow malware suite. The chain loads SnowBelt in a headless Microsoft Edge instance with scheduled-task and startup-folder persistence, while SnowGlaze establishes a WebSocket tunnel and SOCKS proxy path to mask C2 traffic and SnowBasin executes attacker-supplied CMD or PowerShell commands for remote shell access, file download, screenshot capture, basic file management, and data exfiltration. Post-compromise activity includes SMB and RDP reconnaissance, lateral movement, LSASS memory dumping, pass-the-hash authentication, FTK Imager collection of the Active Directory database plus SYSTEM, SAM, and SECURITY hives, and exfiltration with LimeWire.

    Show sources
    Open in new tab