Google Threat Intelligence Group identified UNC6692, a threat actor utilizing Microsoft Teams phishing and email bombing to deploy a custom modular malware suite. The attack chain leverages a malicious Chromium extension (SNOWBELT), a Python tunneler (SNOWGLAZE), and a Python bindshell (SNOWBASIN) to establish persistence, move laterally, and exfiltrate sensitive Active Directory data via legitimate cloud services.