Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

SNOWGLAZE

SNOWGLAZE is a Python-based tunneler in the SNOW malware ecosystem used by threat cluster UNC6692. It runs on both Windows and Linux and creates a persistent, authenticated WebSocket tunnel between a victim's internal network and attacker-controlled command-and-control infrastructure, including Heroku subdomains. The malware wraps traffic in JSON objects and Base64-encodes it for transfer over WebSockets, and it can route arbitrary TCP traffic through the victim via a SOCKS proxy to mask communications. In observed intrusions, SNOWGLAZE was delivered after initial compromise by the SNOWBELT malicious Chromium extension, alongside SNOWBASIN, AutoHotkey scripts, and a portable Python environment. It was used to support deeper network access, reconnaissance, and lateral movement; reporting states UNC6692 established PsExec sessions through the SNOWGLAZE tunnel and initiated RDP sessions via the tunnel to internal systems such as backup servers. The broader intrusion chain relied on Microsoft Teams helpdesk impersonation, email bombing, and a fake Mailbox Repair Utility to socially engineer victims. A reported WebSocket IOC associated with the campaign is wss://sad4w7h913-b4a57f9c36eb.herokuapp.com/ws.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC6692

SnowGlaze is a Python-based tunneler that runs in both Windows and Linux environments and manages the external communication. It creates an authenticated WebSocket tunnel between the victim's internal network and the attacker's command-and-control (C2) infrastructure, such as a Heroku subdomain.

via register securitytheregister.com
MITRE ATT&CK

Techniques & procedures

23 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583.006Web ServicesEvidence1

its systematic abuse of legitimate cloud services for every stage of the attack payload delivery, credential exfiltration, C2 infrastructure, and data staging, all of which relied on trusted platforms like AWS S3 and Heroku.

Initial Access

5 techniques
T1133External Remote ServicesEvidence1

The hacker sends a link to a fake “Mailbox Repair” utility or asks the victim to open remote access tools like Quick Assist. Either way, they install the SNOW malware suite.

T1189Drive-by CompromiseEvidence1

Once it's clicked, it leads to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket.

T1566PhishingEvidence5

Step 2 — The helper arrives on Teams Right away, an external Microsoft Teams account named “IT Helpdesk” messages the victim. The hacker offers to fix the email issue immediately.

T1566.002Spearphishing LinkEvidence1

The fake helpdesk worker prompts the user to click a link that supposedly installs a local patch that prevents email spamming. This directs victims to a landing page masquerading as a 'Mailbox Repair Utility'...

T1566.003Spearphishing via ServiceEvidence2

Step 2 — The helper arrives on Teams Right away, an external Microsoft Teams account named “IT Helpdesk” messages the victim. The hacker offers to fix the email issue immediately.

Execution

4 techniques
T1059Command and Scripting InterpreterEvidence3

The first stage downloads an AutoHotKey binary and an AutoHotkey script, which immediately starts performing reconnaissance... SnowGlaze is a Python-based tunneler... Finally, SnowBasin is a Python bindshell...

T1059.006PythonEvidence1

...a ZIP archive containing a portable Python executable and required libraries. SnowGlaze is a Python-based tunneler... Finally, SnowBasin is a Python bindshell...

T1204User ExecutionEvidence1

...to trick victims into installing a fake fix for email issues. The attack delivered AutoHotKey-based loaders...

T1204.002Malicious FileEvidence1

Once it's clicked, it leads to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket.

Persistence

1 technique
T1133External Remote ServicesEvidence1

The hacker sends a link to a fake “Mailbox Repair” utility or asks the victim to open remote access tools like Quick Assist. Either way, they install the SNOW malware suite.

Discovery

3 techniques
T1033System Owner/User DiscoveryEvidence1

Attacker commands (such as whoami or net user) are sent through the SnowGlaze tunnel...

T1046Network Service DiscoveryEvidence2

...allowing deeper network access and reconnaissance.

T1087.001Local AccountEvidence1

Following internal port scanning, the threat actor established a Sysinternals PsExec session to the victims system via the SNOWGLAZE tunnel, and executed commands to enumerate local administrator accounts.

Lateral Movement

3 techniques
T1021Remote ServicesEvidence1

Using PsExec sessions routed through the SNOWGLAZE tunnel... initiated an RDP session to a backup server.

T1021.001Remote Desktop ProtocolEvidence2

initiate an RDP session via the SNOWGLAZE tunnel from the victim system to a backup server.

T1021.002SMB/Windows Admin SharesEvidence3

Use a Python script to scan the local network for ports 135, 445, and 3389 for lateral movement, establish a PsExec session to the victim's system via the SNOWGLAZE tunneling utility

Command and Control

7 techniques
T1001Data ObfuscationEvidence1

It also disguises malicious traffic by wrapping data in JSON objects and Base64 encoding it for transfer via WebSockets, which makes it look like legitimate, standard encrypted web traffic.

T1071Application Layer ProtocolEvidence3

SNOWGLAZE is a Python tunneler that creates a persistent encrypted channel back to attacker infrastructure.

T1071.001Web ProtocolsEvidence3

It creates an authenticated WebSocket tunnel between the victim's internal network and the attacker's command-and-control (C2) infrastructure, such as a Heroku subdomain.

T1090ProxyEvidence3

SnowGlaze is a Python-based tunneler... It creates an authenticated WebSocket tunnel between the victim's internal network and the attacker's command-and-control (C2) infrastructure...

T1090.002External ProxyEvidence2

SNOWGLAZE is a Python-based tunneler to create a secure, authenticated WebSocket tunnel between the victim's internal network and the attacker's command-and-control (C2) server.

T1105Ingress Tool TransferEvidence3

Once installed, the extension can download additional components, including malware tools dubbed SnowGlaze and SnowBasin, along with AutoHotkey scripts and a portable Python environment used to run further malicious code.

T1572Protocol TunnelingEvidence1

SnowGlaze is a Python-based tunneler... It creates an authenticated WebSocket tunnel between the victim's internal network and the attacker's command-and-control (C2) infrastructure...

INDICATORS OF COMPROMISE

IOCs tracked for this family

6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
6 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app2 months ago
ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
malware newsNews
May 26, 2026
Hunt Before They Hide -From Device Codes to Fake IT Support Detecting Active Microsoft 365 Identity… - Malware News - Malware Analysis, News and Indicators

A Python-based tunneling component in the SNOW malware suite that establishes a persistent encrypted channel to attacker-controlled infrastructure.

Read more
detectNews
May 26, 2026
Hunt Before They Hide -From Device Codes to Fake IT Support Detecting Active Microsoft 365 Identity Attacks in Sentinel | by Rohitashokgowd | May, 2026 | Detect FYI

A Python-based tunneling tool that establishes a persistent encrypted channel to attacker infrastructure.

Read more
the record mediaNews
Apr 27, 2026
Hackers impersonate Microsoft Teams help desk to breach corporate networks | The Record from Recorded Future News

An additional malware tool downloaded by SnowBelt as part of the intrusion chain.

Read more
register securityNews
Apr 25, 2026
Crime crew impersonates help desk, abuses Teams chats • The Register

A Python-based tunneling component that manages external communications by creating authenticated WebSocket tunnels between the victim network and attacker C2, disguising traffic in JSON and Base64 over WebSockets.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching6

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping23

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.