Crime crew impersonates help desk, abuses Microsoft Teams to steal your data

Coming in cold with custom Snow malware

by · The Register

A previously unknown threat group using tried-and-tested social engineering tactics - Microsoft Teams chat invitations and helpdesk staff impersonation - is also using custom malware in its data-stealing attacks, according to Google's Threat Intelligence Group.

The threat hunters say they spotted a "large email campaign" in late December 2025. The attack started by spamming target organizations with an overwhelming amount of email traffic. Then someone posing as helpdesk personnel would reach out via Microsoft Teams to offer help with the email volume.

The fake helpdesk worker prompts the user to click a link that supposedly installs a local patch that prevents email spamming. This directs victims to a landing page masquerading as a "Mailbox Repair Utility" complete with a "Health Check" button that, when clicked, prompts users to authenticate using their email and password, allowing the attackers to nab them.

The credential-harvest script also uses a sneaky "double-entry" psychological trick that auto-rejects the first and second password attempts as incorrect.

"This serves two functions: it reinforces the user's belief that the system is legitimate and performs real-time validation, and it ensures that the attacker captures the password twice, significantly reducing the risk of a typo in the stolen data," according to GTIG.

The phishing page then performs a fake mailbox integrity check, which keeps the victim engaged while credentials and metadata are sent to an attacker-controlled Amazon S3 bucket and staged files continue downloading onto the user's machine.

"By the time the user receives a 'Configuration completed successfully' message, the attacker has secured the credentials and potentially established a persistent foothold on the endpoint using these staged files," the Googlers wrote.

The first stage downloads an AutoHotKey binary and an AutoHotkey script, which immediately starts performing reconnaissance and installs a malicious Chromium browser extension called SnowBelt. (It's not available through the Chrome Web Store - only via social engineering tactics.)

Snow malware

UNC6692 uses the SnowBelt extension to download its other custom "Snow" named malware, along with additional AutoHotkey scripts, and a ZIP archive containing a portable Python executable and required libraries.

The Snow malware, we're told, operates as a modular ecosystem with three primary components: SnowBelt, SnowGlaze, and SnowBasin. 

SnowBelt, a JavaScript-based backdoor delivered as a Chromium browser extension, gives the attacker an initial foothold and maintains persistence via the browser's extension registration system. It often hides behind names like "MS Heartbeat" or "System Heartbeat."

SnowGlaze is a Python-based tunneler that runs in both Windows and Linux environments and manages the external communication. It creates an authenticated WebSocket tunnel between the victim's internal network and the attacker's command-and-control (C2) infrastructure, such as a Heroku subdomain. 

It also disguises malicious traffic by wrapping data in JSON objects and Base64 encoding it for transfer via WebSockets, which makes it look like legitimate, standard encrypted web traffic. 

Finally, SnowBasin is a Python bindshell providing interactive control over the infected system. It serves as a persistent backdoor, operating as a local HTTP server and typically listening on port 8000, allowing remote command execution, screenshot capture, and data staging for exfiltration.

"This component is where active reconnaissance and mission completion occur," the threat hunters noted. "Attacker commands (such as whoami or net user) are sent through the SnowGlaze tunnel, intercepted by the SnowBelt extension, and then proxied to the SnowBasin local server via HTTP POST requests. SnowBasin executes these commands and relays the results back through the same pipeline to the attacker."

These types of interactive social engineering tactics have proven very profitable for cybercrime groups like ShinyHunters and Scattered Lapsus$ Hunters. Google analysts, however, told The Register that there's no overlap between those crews and this new group, which it tracks as UNC6692. 

Google's analysis of UNC6692 and its Teams-led social engineering campaign follows a warning from Microsoft about criminals abusing Microsoft Teams communications and impersonating helpdesk personnel to snare users and then remotely control and infect victims' machines. 

Despite the similarities, Google's security researchers told us that the two campaigns don't seem to be related.

They are a good reminder, though, of the increasing number of digital scammers using very convincing social engineering tactics alongside legitimate cloud services and tools to gain a foothold in organizations' IT environments. ®

Ransomware gang runs ads for Microsoft Teams to pwn victims: You click and think you're getting a download page, but get malware insteadJessica Lyons, 31 Oct 2025Scattered Lapsus$ Hunters auditioning female voices to sharpen social engineering: Telegram posts promise up to $1,000 per call as gang refines IT helpdesk ruseConnor Jones, 26 Feb 2026Smooth criminals talking their way into cloud environments, Google saysRSAC 2026: Voice phishing is second most common initial access method across all IR probes, and top in cloud break-insJessica Lyons, 23 Mar 2026'Several dozen' high-value corporations hit by new extortion crew in helpdesk phishing spree: Possible link to Mr. Raccoon's claimed Adobe break-inJessica Lyons, 09 Apr 2026