Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNC6692 email bombing and Microsoft Teams impersonation campaign

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

UNC6692 is running a social-engineering campaign that uses email bombing and Microsoft Teams impersonation to push targets toward remote access and initial compromise. The operation matters because it is designed to create urgency, bypass normal trust checks, and open a path to credential theft and deeper network access.

Related Happenings

KongTuke Microsoft Teams initial access campaign

Campaign
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...

Open Happening

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

Open Happening

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

Open Happening

Snow malware suite deployment by UNC6692

Malware Activity
First: 25.04.2026 18:07 Last: 25.04.2026 18:07 Sources 1

How related: A threat group tracked as UNC6692 uses social engineering to deploy a new, custom malware suite named “Snow,” which includes a browser extension, a tunneler, and a backdoor.

About this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...

Open Happening

Timeline

  1. 25.04.2026 18:07 2 articles · 1mo ago

    UNC6692 uses Teams impersonation and a fake patch to deploy Snow

    Initial Disclosure

    UNC6692 uses email bombing and Microsoft Teams impersonation to pose as IT helpdesk staff, pressure targets into clicking a fake spam-blocking patch link, and deploy the Snow malware suite. The dropper loads SnowBelt as a malicious Chrome extension on a headless Microsoft Edge instance, while SnowGlaze creates a WebSocket tunnel and SOCKS proxy path to SnowBasin, a Python-based backdoor that can run CMD or PowerShell, support remote shell access, data exfiltration, file download, screenshot capture, and file management, and enable later credential theft, lateral movement, and Active Directory harvesting with FTK Imager and LimeWire.

    Show sources
    Open in new tab