A cybercrime group identified as UNC6692 is using Microsoft Teams and custom 'Snow' malware to infiltrate organizations and steal sensitive data, according to a report from Google's Threat Intelligence Group (GTIG).
Google researchers first identified the group after spotting a large email campaign in late December 2025. The attackers begin by flooding target organizations with overwhelming email traffic to create a sense of urgency.
Following the spam, the attackers reach out to employees via Microsoft Teams while posing as helpdesk personnel. They offer to resolve the email volume issues by tricking users into clicking links for a fake 'Mailbox Repair Utility.'
According to The Register, the phishing page employs a 'double-entry' psychological trick. The script automatically rejects the first and second password attempts as incorrect to manipulate the victim into believing the system is legitimate.
'This serves two functions: it reinforces the user's belief that the system is legitimate and performs real-time validation, and it ensures that the attacker captures the password twice, significantly reducing the risk of a typo in the stolen data,' GTIG reported.
While the user waits for a fake integrity check, the site sends credentials and metadata to an attacker-controlled Amazon S3 bucket. The attack then stages files on the user's machine to establish a persistent foothold.
The Snow malware ecosystem
The initial infection stage downloads an AutoHotKey script that installs a malicious Chromium extension called SnowBelt. This extension is not available through official stores and relies on social engineering for distribution.
SnowBelt acts as a JavaScript-based backdoor, often using deceptive names such as 'MS Heartbeat' or 'System Heartbeat' to avoid detection. This extension serves as a gateway for the rest of the 'Snow' malware family, including SnowGlaze and SnowBaserm.
SnowGlaze is a Python-based tunneler capable of running on both Windows and Linux environments. It manages communication with the attackers' command-and-control infrastructure, frequently using Heroku subdomains.
To evade detection, the malware wraps malicious traffic in JSON objects and uses Base64 encoding. This technique makes the data transfer appear like standard, encrypted web traffic.
