UNC6692 Spoofs IT Help Desk via Microsoft Teams to Deploy SNOW Malware

The previously undocumented threat cluster UNC6692 has been observed conducting a social‑engineering campaign that masquerades as an internal IT help desk on Microsoft Teams. The actors send Teams messages to employees with a convincing “IT Support” display name, prompting recipients to click a link or open an attached file to resolve a fictitious issue. The lures typically arrive as a short message referencing a “password reset” or “VPN configuration update” and direct victims to a hosted .zip archive. Once the archive is extracted, a malicious JavaScript dropper is executed, delivering the custom SNOW malware suite onto the target host.

SNOW is a modular malware family that UNC6692 uses for post‑exploitation activities. Its core component is a lightweight backdoor that beacons to the Microsoft Teams infrastructure using HTTPS requests that mimic legitimate Teams API traffic, effectively using the collaboration platform as a command‑and‑control (C2) channel. The backdoor is accompanied by a credential‑harvesting module that extracts NTLM hashes and Kerberos tickets from memory, a keylogger that captures keystrokes in an encrypted log file, and a data‑exfiltration module that packages stolen documents and sends them as Base64‑encoded payloads to the same C2 endpoint. All network communications are XOR‑encoded with a per‑victim key to hinder detection, and the malware achieves persistence by creating a scheduled task named “SnowUpdate” that re‑launches the backdoor every hour.

Detection of UNC6692 activity relies on monitoring Teams messages for external domains, especially those containing .zip attachments with .js files, and correlating these events with endpoint telemetry. Security teams have published YARA rules that match the SNOW dropper’s string patterns (e.g., “SnowUpdate”, “XORKey”) and network signatures that flag Teams API calls that transfer payloads larger than typical chat messages. In recent incident response engagements, EDR platforms that flag newly created scheduled tasks with non‑standard names or that execute from %APPDATA% have captured the SNOW backdoor before it could establish its C2 channel. Log analytics that detect repeated HTTPS POSTs to teams.microsoft.com with Base64‑encoded bodies also provide an effective early‑warning signal.

Organizations can reduce the risk of UNC6692 impersonation by enforcing strict external‑contact policies in Microsoft Teams, such as requiring users to accept external messages only from verified domains and enabling Safe Links protection for all Teams URLs. User awareness training that emphasizes never to run unsolicited scripts or open .zip files from chat messages further mitigates the initial dropper execution. On the endpoint, applying application whitelisting, disabling macro execution in Office documents, and restricting the creation of scheduled tasks to privileged accounts limit SNOW’s ability to persist. Finally, segmenting network access to Teams endpoints and logging all outbound HTTPS traffic to the Teams domain enable security teams to quickly identify and isolate compromised hosts.