A recently discovered threat actor has been observed bombarding victims with emails and impersonating IT support to convince them to execute malicious code, Google Threat Intelligence Group (GTIG) reports.
In December 2025, the threat actor, tracked as UNC6692, was seen overwhelming the target with email messages and then contacting the victim via Microsoft Teams, posing as an IT helpdesk employee.
Pretending to provide assistance with the large volume of incoming emails, the attackers tricked the victim into clicking on a URL leading to a phishing page offering a fake mailbox repair utility.
The page checked for an email parameter in the link, checked that the victim’s browser was Microsoft Edge, and presented a panel posing as the repair utility.
When the user clicked a ‘health check’ button on the page, they were shown a fake authentication box meant to harvest and validate the victim’s credentials. A fake progress bar was also displayed to avoid suspicion.
In the background, a script on the page downloaded an AutoHotKey binary and an AutoHotKey script to the system. Upon execution, the payloads infected the system with a JavaScript-based backdoor dubbed Snowbelt, which was deployed as a Chromium browser extension.
To establish persistence for the extension, the code added a shortcut to an AutoHotKey script to the Windows startup and created two scheduled tasks to open a windowless Edge process and load Snowbelt, and to kill headless Edge processes.
Next, the attackers used the malicious extension to download additional payloads, including AutoHotkey scripts, a ZIP archive, the Snowglaze tunnel, and the Snowbasin malware, from an attacker-controlled AWS S3 bucket.
Reconnaissance, lateral movement, and credential harvesting
UNC6692 used Snowglaze to establish a Sysinternals PsExec session to the system and enumerate administrator accounts. Using one of these accounts, it then initiated a Remote Desktop Protocol (RDP) session to a backup server, via the Snowglaze tunnel.
“Though not directly observed, the threat actor may have acquired the local administrator accounts credentials via multiple attack paths such as authenticated Server Message Block (SMB) share enumeration,” GTIG notes.
The threat actor then dumped the LSASS process memory from the backup server and exfiltrated it via LimeWire to extract usernames, passwords, and user account hashes from it.
Next, UNC6692 used Pass-The-Hash to access the network’s domain controller, downloaded FTK Imager to it, used the tool to mount the local storage drive and write the Active Directory database file, Security Account Manager (SAM), System, and Security registry hives to the Downloads folder, and used LimeWire to exfiltrate the data.
The Snow malware
The three main components of the modular ‘Snow’ malware framework used in the attack, Snowbelt, Snowglaze, and Snowbasin, “form a coordinated pipeline that facilitates an attacker’s journey from initial browser-based access to the internal network of the organization,” GTIG says.
Snowbelt intercepts commands and delivers them to Snowbasin for execution, and provides authenticated access to the environment, enabling lateral movement and privilege escalation.
A Python-based tunneler, Snowglaze creates a secure, authenticated WebSocket tunnel to the attackers’ command-and-control (C&C) server, facilitates SOCKS proxy operations, and hides malicious traffic.
Snowbasin is a persistent backdoor functioning as a local HTTP server that supports command execution, screenshot capture, and data harvesting.
“The UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a foothold into environments. […] By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic,” GTIG notes.
Related: Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions
Related: New Wiper Malware Targeted Venezuelan Energy Sector Prior to US Intervention
Related: Google Warns of New Campaign Targeting BPOs to Steal Corporate Data
Related: Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises
