Here’s the thing about the latest cybersecurity scare: it’s not a zero-day so obscure only nation-states can wield it. No, this latest malware suite, dubbed “Snow” by Google’s Mandiant researchers, is leveraging something far more ubiquitous and, frankly, terrifyingly mundane: Microsoft Teams.
And that’s where we hit our first, truly chilling data point: 285 million users currently have active Microsoft Teams accounts. That’s 285 million potential entry vectors for attackers who’ve figured out how to game the system.
A New Kind of Social Engineering
The attackers, tracked as UNC6692, aren’t just sending out generic spam. They’re employing “email bombing” to create a false sense of urgency, immediately followed by direct contact via Microsoft Teams. Imagine this: your inbox is flooded with junk, then suddenly, a message pops up from someone claiming to be IT support, offering a solution. It’s a classic bait-and-switch, but supercharged for the modern digital workplace.
This tactic isn’t new in theory; tricking users into granting remote access is old hat. Microsoft itself has flagged the rise of attackers using tools like Quick Assist. But UNC6692’s execution is particularly insidious. They prompt victims to click a link to install a supposed spam-blocking patch. Instead? A dropper. This dropper kicks off AutoHotkey scripts that load “SnowBelt,” a malicious Chrome extension. This extension, operating in the background on a headless Edge instance, is designed to be invisible to the user. Stealth is key here.
Building the Snow Fort: Persistence and Evasion
SnowBelt is just the initial foothold, acting as a persistence mechanism and a relay. The real heavy lifting is done by a Python-based backdoor named SnowBasin, all orchestrated through a tunneler called SnowGlaze. This trio is designed for one thing: deep network compromise. SnowGlaze establishes a WebSocket tunnel, masking communications between the infected host and the attacker’s command-and-control (C2) infrastructure. It also masquerades as a SOCKS proxy, allowing attackers to route arbitrary TCP traffic through your compromised machine, making it look like legitimate network activity.
“SnowGlaze also facilitates SOCKS proxy operations, allowing arbitrary TCP traffic to be routed through the infected host.”
This isn’t just about exfiltrating data; it’s about establishing a persistent, undetectable presence. The malware supports a full suite of destructive capabilities: remote shell access, data exfiltration, file downloads, screenshots, and even basic file management. And when the job is done, or if detected, the attacker can issue a self-termination command. Clean exit strategy. Impressive, if you ignore the part where they’re actively trying to steal your company’s crown jewels.
Beyond the Entry: Domain Takeover
Once UNC6692 is inside, they don’t mess around. They perform internal reconnaissance, scanning for services like SMB and RDP. This is where the lateral movement begins, seeking out additional targets within the network. Credential theft is paramount; they dump LSASS memory to extract sensitive login information and then use pass-the-hash techniques to authenticate to other hosts. The ultimate goal? Domain controllers. Gaining control of domain controllers is akin to owning the keys to the kingdom.
And the final act? Deploying FTK Imager to extract the Active Directory database, along with critical registry hives (SYSTEM, SAM, SECURITY). These aren’t small files. They’re the heart of your identity and access management. Then, they exfiltrate this treasure trove using LimeWire – yes, that old, nostalgic file-sharing tool, now weaponized for data theft. It’s a stark reminder that old tools can find new, nefarious purposes.
The Larger Market Dynamic
What makes this particular attack so significant isn’t just the technical sophistication, which is considerable, but the strategic shift it represents. Attackers are moving away from mass, indiscriminate attacks and toward highly targeted, socially engineered intrusions that mimic legitimate internal processes. The reliance on tools that are already part of a company’s IT stack—like Microsoft Teams and even everyday file-sharing methods—means these attacks are harder to detect with traditional perimeter defenses.
This isn’t an isolated incident; it’s a canary in the coal mine for a broader trend. Organizations that haven’t prioritized strong endpoint detection and response, coupled with continuous security awareness training that goes beyond just spotting phishing emails, are exceptionally vulnerable. The fact that the attackers are using Teams, a tool designed for collaboration and productivity, to orchestrate their attacks is a bitter irony that highlights the blurred lines between trusted internal communication and external threat vectors.
Is This the Future of Malware Deployment?
If there’s one unique insight here, it’s this: the most dangerous attacks are often the ones that blend in. The attackers aren’t trying to break down the door; they’re posing as the locksmith. The market for sophisticated, stealthy malware is booming, and UNC6692’s “Snow” suite is a prime example of how attackers are adapting to increasingly hardened digital perimeters by exploiting the human element and the very tools we rely on every day. This trend is likely to continue, forcing organizations to re-evaluate not just their firewalls, but their internal communication policies and user training protocols.
🧬 Related Insights
- Read more: Iran’s Hackers Spray Passwords at 300+ Israeli Microsoft 365 Targets—And It’s Just Getting Started
- Read more: RSAC 2026: AI’s Big Show, Humans’ Quiet Win
Frequently Asked Questions
What does the ‘Snow’ malware suite do? ‘Snow’ is a custom malware suite used by threat actors to steal sensitive data and achieve deep network compromise through credential theft and domain takeover. It includes components for browser extension installation, network tunneling, and backdoor functionality.
How do attackers use Microsoft Teams with this malware? Attackers use social engineering tactics, including ‘email bombing,’ to create urgency, then contact targets directly via Microsoft Teams, impersonating IT helpdesk agents to trick users into installing malicious software.
Will this malware affect my personal computer? While the primary targets appear to be organizational networks, the underlying techniques could potentially be adapted for widespread attacks. However, the current reported use case focuses on corporate environments. The ‘Snow’ malware specifically targets browser extensions and network tunneling, often requiring access to sensitive organizational data.
