Skip to content
.ca
sign in
6 mincritical

Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

Google Threat Intelligence Group identified UNC6692, a threat actor utilizing Microsoft Teams phishing and email bombing to deploy a custom modular malware suite. The attack chain leverages a malicious Chromium extension (SNOWBELT), a Python tunneler (SNOWGLAZE), and a Python bindshell (SNOWBASIN) to establish persistence, move laterally, and exfiltrate sensitive Active Directory data via legitimate cloud services.

Sens:ImmediateConf:highAnalyzed:2026-04-23reports

Authors: JP Glab, Tufail Ahmed, Josh Kelley, Muhammad Umair

ActorsUNC6692SNOWBELTSNOWGLAZESNOWBASIN
SNOWBELTSocial EngineeringBrowser ExtensionLiving off the CloudUNC6692

Source:Mandiant

IOCs · 6

Key Takeaways

  • UNC6692 utilizes email bombing and Microsoft Teams phishing to impersonate IT helpdesk and deliver initial payloads.
  • The threat actor deploys a custom modular malware suite consisting of SNOWBELT (browser extension), SNOWGLAZE (Python tunneler), and SNOWBASIN (Python bindshell).
  • Attackers heavily abuse legitimate cloud services like AWS S3 and Heroku for payload delivery, C2 infrastructure, and data exfiltration.
  • Post-compromise activities include dumping LSASS via Task Manager and extracting Active Directory databases (NTDS.dit) using FTK Imager.
  • Persistence is maintained via scheduled tasks that run headless Microsoft Edge instances and actively terminate Edge processes lacking specific DLLs.

Affected Systems

  • Windows
  • Linux
  • Microsoft Edge
  • Chromium browsers

Attack Chain

UNC6692 initiates attacks via email bombing and Microsoft Teams phishing, tricking users into downloading an AutoHotKey payload from AWS S3. This payload installs SNOWBELT, a malicious Chromium extension, establishing a persistent backdoor via scheduled tasks. The attackers then deploy SNOWGLAZE (a Python WebSocket tunneler) and SNOWBASIN (a Python bindshell) for C2 and remote command execution. Finally, they perform internal reconnaissance, move laterally via RDP and PsExec, dump LSASS memory, and extract Active Directory databases (NTDS.dit) using FTK Imager, exfiltrating the data via LimeWire.

Detection Availability

  • YARA Rules: Yes
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Google Threat Intelligence Group (GTIG)

The article provides YARA rules for detecting the SNOWGLAZE, SNOWBELT, and SNOWBASIN malware components.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can detect anomalous process executions (e.g., Task Manager dumping LSASS, FTK Imager execution, headless Edge processes) and suspicious command lines involving tasklist/taskkill. Network Visibility: Medium — While C2 traffic is encrypted and uses legitimate cloud services (AWS S3, Heroku) via WebSockets, anomalous high-volume data transfers to these services or unusual WebSocket connections can be monitored. Detection Difficulty: Moderate — The use of legitimate cloud infrastructure and custom browser extensions makes network detection challenging, but the endpoint behaviors (LSASS dumping, FTK Imager, specific scheduled tasks) are highly anomalous and detectable.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon 1)
  • Network Connections (Sysmon 3)
  • Scheduled Task Creation (Event ID 4698)
  • File Creation (Sysmon 11)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for msedge.exe executing with --headless and --load-extension arguments pointing to non-standard user directories.Process Creation (Event ID 4688 / Sysmon 1)PersistenceLow
Search for tasklist and taskkill commands specifically querying for CoreUIComponents.dll to terminate headless browser processes.Process Creation (Event ID 4688 / Sysmon 1)Defense EvasionLow
Monitor for the execution of FTK Imager (ftkimager.exe) writing files to user \Downloads directories, especially on Domain Controllers.Process Creation (Event ID 4688 / Sysmon 1) and File Creation (Sysmon 11)CollectionLow
Detect taskmgr.exe being used to create dump files of lsass.exe.Process Access (Sysmon 10) or File Creation (Sysmon 11)Credential AccessMedium
Identify unusual outbound network connections to LimeWire or Heroku subdomains from critical infrastructure like Domain Controllers or backup servers.Network Connections (Sysmon 3)ExfiltrationLow

Control Gaps

  • Lack of strict browser extension whitelisting
  • Permissive outbound access to cloud storage (AWS S3) and P2P networks (LimeWire) from critical servers

Key Behavioral Indicators

  • Headless Edge execution with custom extension paths
  • Taskkill commands filtering by loaded DLLs
  • FTK Imager execution on Domain Controllers
  • Python scripts listening on local ports 8000-8002

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Block known malicious AWS S3 and Heroku URLs/domains.
  • Search for and remove the 'SysEvents' Edge extension from user profiles.
  • Hunt for scheduled tasks executing headless Edge or terminating Edge based on DLLs.

Infrastructure Hardening

  • Restrict outbound network access from Domain Controllers and backup servers to the internet.
  • Implement application control to block unauthorized tools like FTK Imager and LimeWire.
  • Enforce browser extension whitelisting via Group Policy.

User Protection

  • Restrict external communication in Microsoft Teams to trusted organizations only.
  • Deploy EDR solutions with LSASS protection enabled (e.g., Credential Guard).

Security Awareness

  • Train employees to recognize social engineering tactics via Microsoft Teams and email bombing.
  • Educate helpdesk staff on verification procedures to prevent impersonation.

MITRE ATT&CK Mapping

  • T1566.002 - Spearphishing Link
  • T1053.005 - Scheduled Task
  • T1059.010 - AutoHotKey & AutoIT
  • T1176.001 - Browser Extensions
  • T1547.001 - Registry Run Keys / Startup Folder
  • T1003.001 - LSASS Memory
  • T1003.003 - NTDS
  • T1021.001 - Remote Desktop Protocol
  • T1560.001 - Archive via Utility
  • T1567.002 - Exfiltration to Cloud Storage
  • T1572 - Protocol Tunneling

Additional IOCs

  • Domains:
    • service-page-11369-28315-outlook[.]s3[.]us-west-2[.]amazonaws[.]com - Domain for URL used to upload a text file.
    • service-page-18968-2419-outlook[.]s3[.]us-west-2[.]amazonaws[.]com - Attacker-controlled Amazon S3 bucket used for credential exfiltration.
  • File Hashes:
    • ca390b86793922555c84abc3b34406da2899382c617f9dcf83a74ac09dd18190 (SHA256) - SNOWBELT JS resource (dream.js)
    • 6e6dab993f99505646051d2772701e3c4740096ff9be63c92713bcb7fcddf9f7 (SHA256) - SNOWBELT HTML resource (dream.html)
    • de200b79ad2bd9db37baeba5e4d183498d450494c71c8929433681e848c3807f (SHA256) - SNOWBELT HTML resource (helper.html)
  • File Paths:
    • C:\ProgramData\log - Directory used to store SNOWGLAZE and SNOWBASIN payloads.
    • C:\Users\<user>\AppData\Local\Microsoft\Edge\Extension Data\SysEvents\background.js - Path to SNOWBELT Service worker.
    • C:\Users\<user>\AppData\Local\Microsoft\Edge\Extension Data\SysEvents\dream.js - Path to SNOWBELT JS resource.
    • C:\Users\<user>\AppData\Local\Microsoft\Edge\Extension Data\SysEvents\dream.html - Path to SNOWBELT HTML resource.
    • C:\Users\<user>\AppData\Local\Microsoft\Edge\Extension Data\SysEvents\helper.html - Path to SNOWBELT HTML resource.
  • Command Lines:
    • Purpose: Launch headless Microsoft Edge to load the SNOWBELT malicious extension. | Tools: msedge.exe | Stage: Persistence
    • Purpose: Identify and terminate Microsoft Edge processes that do not have CoreUIComponents.dll loaded to clean up headless executions. | Tools: cmd.exe, tasklist.exe, findstr.exe, taskkill.exe | Stage: Defense Evasion

Related