A previously undocumented threat activity cluster known as UNC6692 has been observed using Microsoft Teams impersonation to deploy a custom malware suite on compromised systems, relying on social engineering, trusted collaboration tools and legitimate cloud services to gain access, move laterally and exfiltrate data from enterprise networks.
Microsoft Teams Used For Help Desk Impersonation
Google-owned Mandiant said UNC6692 relied heavily on impersonating IT help desk employees, convincing victims to accept Microsoft Teams chat invitations from accounts outside their organisations. The group has been linked to a large email campaign designed to flood a target’s inbox with spam, creating a false sense of urgency before the attackers approach the victim through Teams while posing as IT support.
The tactic resembles a playbook previously embraced by former Black Basta affiliates. Although the group reportedly shut down its ransomware operations early last year, the method has shown no signs of slowing. ReliaQuest said the approach is being used to target executives and senior-level employees for initial access into corporate networks, with possible outcomes including data theft, lateral movement, ransomware deployment and extortion.
ReliaQuest researchers John Dilgen and Alexa Feminella said that from March 1 to April 1, 2026, senior-level employees accounted for 77 per cent of observed incidents, up from 59 per cent in the first two months of 2026. The goal of the interaction is to trick victims into installing legitimate remote monitoring and management tools such as Quick Assist or Supremo Remote Desktop, giving attackers hands-on access that can later be weaponised to deploy additional payloads.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Custom Malware And Cloud Abuse
Mandiant said the UNC6692 attack chain differed in one case by instructing the victim to click a phishing link shared through Teams chat to install a local patch for a purported spam issue. Once clicked, the link led to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket. The phishing page was named “Mailbox Repair and Sync Utility v2.1.5.”
The script was designed to conduct initial reconnaissance and install SNOWBELT, a malicious Chromium-based browser extension, on Microsoft Edge by launching the browser in headless mode with a command line switch. Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelley and Muhammad Umair said the attacker used a gatekeeper script to ensure the payload was delivered only to intended targets while evading automated security sandboxes.
The phishing page also served a configuration management panel with a prominent “Health Check” button. When clicked, it prompted users to enter mailbox credentials under the appearance of authentication, but the data was instead harvested and exfiltrated to another Amazon S3 bucket. The broader malware ecosystem included SNOWBELT, SNOWGLAZE and SNOWBASIN, with each component supporting the attackers’ operational goals.
Lateral Movement And Data Exfiltration Risks
SNOWBELT functions as a JavaScript-based backdoor that receives commands and relays them to SNOWBASIN for execution. SNOWGLAZE is a Python-based tunneller that creates a secure, authenticated WebSocket tunnel between the victim’s internal network and the attacker’s command-and-control server. SNOWBASIN operates as a persistent backdoor, enabling remote command execution through cmd.exe or powershell.exe, screenshot capture, file upload and download, and self-termination. It runs as a local HTTP server on ports 8000, 8001 or 8002.
After gaining access, UNC6692 has been observed using a Python script to scan local networks for ports 135, 445 and 3389, establishing PsExec sessions through the SNOWGLAZE tunnelling utility and initiating RDP sessions from victim systems to backup servers. The attackers also used a local administrator account to extract LSASS process memory through Windows Task Manager for privilege escalation, then used pass-the-hash techniques to move laterally to domain controllers.
Mandiant said the campaign showed an evolution in tactics through the combined use of social engineering, custom malware and a malicious browser extension, exploiting victims’ trust in enterprise software providers. Microsoft has also warned that threat actors are using cross-tenant Teams communications to establish control through Quick Assist or other remote support tools, enabling malicious code execution.
Once initial access is obtained, attackers conduct reconnaissance, deploy payloads, establish encrypted outbound connections to command-and-control infrastructure, create fallback access through Level RMM and exfiltrate data using tools such as Rclone. Microsoft said such access pathways could enable credential-backed lateral movement through native administrative protocols such as Windows Remote Management, allowing attackers to pivot toward high-value assets, including domain controllers.
