4 malware families

UNC6692

Also known asUNC6692

UNC6692 is a newly identified threat cluster tracked by Google Threat Intelligence Group (GTIG) and Mandiant. The group is associated with a multistage intrusion campaign observed in late December 2025 that relies on social engineering rather than software exploitation. Its core tradecraft combines email bombing with Microsoft Teams helpdesk impersonation: attackers flood targets with spam, then contact them from external Teams accounts while posing as IT support and direct them to a fake mailbox repair or sync utility. The phishing workflow harvests credentials, including through a repeated-password prompt designed to capture the password twice, and stages malware from attacker-controlled cloud infrastructure including Amazon S3. UNC6692 abuses trusted enterprise and cloud services, including Microsoft Teams, AWS S3, and Heroku, for payload delivery, command and control, and exfiltration to blend into legitimate traffic. The group deploys a custom modular malware ecosystem referred to as Snow, consisting of SNOWBELT, SNOWGLAZE, and SNOWBASIN. SNOWBELT is a malicious Chromium browser extension, often masquerading as "MS Heartbeat" or "System Heartbeat," used for initial foothold, persistence, and command relay. SNOWGLAZE is a Python-based tunneler that creates authenticated WebSocket tunnels and can proxy traffic. SNOWBASIN is a Python backdoor/bindshell that enables remote command execution, screenshot capture, file transfer, and data staging. The intrusion chain also uses AutoHotkey binaries and scripts and a portable Python environment. Post-compromise activity attributed to UNC6692 includes reconnaissance, internal network scanning for ports 135, 445, and 3389, use of PsExec and RDP for lateral movement, LSASS memory extraction, Pass-the-Hash movement to domain controllers, and theft of sensitive data including NTDS.dit and registry hives using FTK Imager, with exfiltration via LimeWire. Reporting also notes the group has targeted enterprise users, including executives and senior employees, through Teams-based helpdesk impersonation. Although the tactics resemble social-engineering operations associated with groups such as ShinyHunters, Scattered Lapsus$ Hunters, Scattered Spider, and activity long associated with former Black Basta affiliates, the provided reporting explicitly states there is no observed overlap between UNC6692 and ShinyHunters or Scattered Lapsus$ Hunters. No nation-state attribution is stated in the provided content. Known alias in the provided content: UNC6692.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

48 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics64 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1598

Phishing for Information

TA0042

Resource Development

1 technique

T1583

Acquire Infrastructure

T1583.006

Web Services

TA0001

Initial Access

2 techniques

T1078×6

Valid Accounts

T1566×7

Phishing

T1566.001

Spearphishing Attachment

T1566.002×3

Spearphishing Link

T1566.003×7

Spearphishing via Service

TA0002

Execution

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059×3

Command and Scripting Interpreter

T1059.001×2

PowerShell

T1059.003×2

Windows Command Shell

T1059.006

Python

T1059.010

AutoHotKey & AutoIT

T1204×2

User Execution

T1204.002×3

Malicious File

TA0003

Persistence

4 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1078×6

Valid Accounts

T1176×5

Software Extensions

T1547

Boot or Logon Autostart Execution

T1547.009

Shortcut Modification

TA0004

Privilege Escalation

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1078×6

Valid Accounts

T1547

Boot or Logon Autostart Execution

T1547.009

Shortcut Modification

TA0005

Stealth

3 techniques

T1036×5

Masquerading

T1078×6

Valid Accounts

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0006

Credential Access

2 techniques

T1003

OS Credential Dumping

T1003.001×2

LSASS Memory

T1003.003×2

NTDS

T1056

Input Capture

TA0007

Discovery

5 techniques

T1018

Remote System Discovery

T1033

System Owner/User Discovery

T1046×3

Network Service Discovery

T1082×2

System Information Discovery

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0008

Lateral Movement

2 techniques

T1021×2

Remote Services

T1021.001

Remote Desktop Protocol

T1021.002×2

SMB/Windows Admin Shares

T1550

Use Alternate Authentication Material

T1550.002×2

Pass the Hash

TA0009

Collection

4 techniques

T1056

Input Capture

T1074

Data Staged

T1113×4

Screen Capture

T1560

Archive Collected Data

TA0011

Command and Control

7 techniques

T1001

Data Obfuscation

T1071

Application Layer Protocol

T1071.001×2

Web Protocols

T1090×2

Proxy

T1090.002×2

External Proxy

T1095

Non-Application Layer Protocol

T1105×3

Ingress Tool Transfer

T1219

Remote Access Tools

T1572

Protocol Tunneling

TA0010

Exfiltration

3 techniques

T1041

Exfiltration Over C2 Channel

T1048

Exfiltration Over Alternative Protocol

T1567×2

Exfiltration Over Web Service

T1567.002×2

Exfiltration to Cloud Storage

ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

SNOWBASINFinally, SnowBasin is a Python bindshell providing interactive control over the infected system. It serves as a persistent backdoor, operating as a local HTTP server and typically listening on port 8000, allowing remote command execution, screenshot capture, and data staging for exfiltration.8May 6, 2026

SNOWBELTThe first stage downloads an AutoHotKey binary and an AutoHotkey script, which immediately starts performing reconnaissance and installs a malicious Chromium browser extension called SnowBelt. ... SnowBelt, a JavaScript-based backdoor delivered as a Chromium browser extension, gives the attacker an initial foothold and maintains persistence via the browser's extension registration system. It often hides behind names like "MS Heartbeat" or "System Heartbeat."8May 6, 2026

SNOWGLAZESnowGlaze is a Python-based tunneler that runs in both Windows and Linux environments and manages the external communication. It creates an authenticated WebSocket tunnel between the victim's internal network and the attacker's command-and-control (C2) infrastructure, such as a Heroku subdomain.8May 6, 2026

SnowA threat group tracked as UNC6692 uses social engineering to deploy a new, custom malware suite named “Snow,” which includes a browser extension, a tunneler, and a backdoor.2Apr 25, 2026

IOCS

Observables

6 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

6 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app

palo alto networks unit 42 blogNews

Jun 8, 2026

When “Hi, This Is IT” Comes Through Microsoft Teams

Impersonates IT helpdesk staff over Microsoft Teams and socially engineers employees into accepting external chat invitations.

dark readingNews

May 7, 2026

After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets

Named activity cluster referenced as combining social engineering, malware, and cloud abuse.

knowbe4 blogNews

May 6, 2026

Attackers Continue to Pose as Help Desks in Social Engineering Attacks

Impersonates IT help desks, uses spam and Microsoft Teams social engineering to lure victims to a phishing page, harvest credentials, and install custom malware for initial access and foothold establishment.

cyber security newsNews

May 4, 2026

Email Bombing and Fake IT Support Calls Fuel New Microsoft Teams Phishing Attacks

Linked to inbox-flooding and fake IT support social-engineering campaigns conducted via Microsoft Teams to trick users into granting remote access, leading to endpoint compromise and data exfiltration.

+10 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping48

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables6

Domains, IPs, and hashes tied to this actor, refreshed continuously.