Threat group UNC6692 is utilizing social engineering tactics, including email bombing and Microsoft Teams helpdesk impersonation, to deploy a sophisticated custom malware suite named "Snow." This suite consists of three primary components: SnowBelt, a malicious browser extension; SnowGlaze, a WebSocket-based tunneler; and SnowBasin, a Python-based backdoor designed for command execution and data exfiltration.
Once persistence is established via headless browser instances and startup shortcuts, attackers perform internal reconnaissance and lateral movement using pass-the-hash techniques. The ultimate goal involves deep network compromise and domain takeover, culminating in the exfiltration of Active Directory databases and registry hives using tools like FTK Imager and LimeWire.
Top comments (0)