UNC6692 APT Deploys Snow Malware via Microsoft Teams, AWS S3

Cybersecurity researchers have identified a sophisticated campaign conducted by the threat actor UNC6692, who is combining social engineering, custom malware, and cloud infrastructure abuse in a multipronged attack vector. This advanced persistent threat (APT) group demonstrates the evolving tactics of state-affiliated actors in targeting enterprise networks through unconventional pathways.

The initial compromise leverages Microsoft Teams as a social engineering platform, where UNC6692 sends targeted messages to employees, tricking them into downloading malicious payloads. The threat actor then abuses AWS S3 buckets to host command-and-control infrastructure, utilizing legitimate cloud services to mask malicious traffic and evade detection. This technique allows the attackers to blend their operations with normal cloud traffic.

The custom malware, dubbed "Snow," is a fully-featured remote access trojan (RAT) capable of keylogging, screen capturing, and data exfiltration. Security analysts note that Snow exhibits advanced evasion techniques, including anti-virtualization checks and encrypted communication channels. The malware maintains persistence through scheduled tasks and registry modifications, ensuring long-term access to compromised systems.

Organizations are advised to implement strict controls on Microsoft Teams external communications, monitor AWS S3 bucket access patterns, and deploy advanced endpoint detection solutions capable of identifying novel malware variants. Threat intelligence teams should prioritize indicators of compromise associated with UNC6692 and ensure security awareness training addresses social engineering via collaboration platforms.