Threat Actor Uses Microsoft Teams to Deploy New Snow Malware Suite

What happened

Google’s Mandiant researchers have documented a campaign by a threat group tracked as UNC6692 that uses Microsoft Teams impersonation to deliver a custom malware suite called Snow, designed for credential theft, lateral movement, and full domain takeover.

The attack begins with email bombing, flooding a target’s inbox to create urgency, followed by a Microsoft Teams message from an attacker posing as an IT helpdesk agent. The victim is directed to click a link to install a patch that will stop the email spam. Instead, a dropper executes AutoHotkey scripts that load SnowBelt, a malicious Chrome extension that runs on a headless Microsoft Edge instance, invisible to the victim. Scheduled tasks and a startup folder shortcut are created for persistence.

SnowBelt acts as both a persistence mechanism and a relay for commands sent to SnowBasin, a Python-based backdoor that runs a local HTTP server and executes attacker-supplied CMD or PowerShell commands. Communications between the infected host and command-and-control infrastructure are masked by SnowGlaze, a tunneler that establishes a WebSocket tunnel and facilitates SOCKS proxy operations to route arbitrary TCP traffic through the compromised host.

Post-compromise, the attackers conduct internal reconnaissance scanning for SMB and RDP services, dump LSASS memory to extract credentials, and use pass-the-hash techniques to move laterally toward domain controllers. At the final stage, FTK Imager is deployed to extract the Active Directory database along with SYSTEM, SAM, and SECURITY registry hives, which are exfiltrated using LimeWire, giving the attackers access to credential material across the entire domain.

Mandiant has published extensive indicators of compromise and YARA rules to support detection of the Snow toolset.

Who is affected

Any organization using Microsoft Teams for internal IT support communications is a potential target, given that the attack specifically impersonates helpdesk agents through the platform. The campaign’s end goal of Active Directory database extraction means the downstream exposure extends to every user and system in the compromised domain.

Why CISOs should care

This campaign is a textbook example of how social engineering, a believable helpdesk impersonation over a trusted internal platform, can be the entry point to a full domain compromise. The email bombing tactic is deliberate: it creates genuine distress that makes the victim more likely to accept unsolicited help from someone claiming to be IT. By the time SnowBasin is running and LSASS is being dumped, the attacker has effectively owned the domain through a chain that started with a Teams message.

Microsoft itself has flagged the growing use of Teams for helpdesk impersonation attacks. For organizations that have not locked down who can initiate external Teams communications, the attack surface is broad.

3 practical actions

1. Restrict external Microsoft Teams messaging and audit guest access policies: UNC6692 initiates contact through Teams from external accounts. Review your Teams configuration to restrict or disable inbound messages from external and unverified accounts, and ensure employees know that legitimate IT helpdesk contact does not originate from unknown external Teams users.
2. Implement alerting on LSASS memory access and AD database extraction attempts: The late-stage attack chain involves LSASS dumps, pass-the-hash lateral movement, and FTK Imager deployment. Each of these actions has detectable signatures. Confirm that your endpoint detection and response tooling alerts on LSASS access by unauthorized processes and on forensic imaging tools running outside of approved windows.
3. Brief employees on email bombing as a social engineering precursor: The attack depends on victims being distressed by a flooded inbox and receptive to unsolicited IT assistance. Training employees to recognize email bombing as a potential attack setup and to verify IT contact through a known internal channel before granting any remote access breaks the chain at the earliest stage.

Also in the news today:

• Trigona Ransomware Attacks Use Custom Exfiltration Tool to Steal Data
• Over 10,000 Zimbra Servers Vulnerable to Ongoing XSS Attacks
• Firestarter Malware Survives Cisco Firewall Updates and Security Patches
• ADT Confirms Data Breach After ShinyHunters Leak Threat
• Pentagon Grapples With Securing AI as It Moves Toward Autonomous Warfare
• NASA Employees Duped in Chinese Phishing Scheme Targeting Defense Software
• Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions