228/69 Monday, April 27, 2026
Researchers from Mandiant have identified a campaign by the threat group UNC6692 leveraging social engineering techniques to compromise organizations. The attack begins with email bombing to overwhelm victims and create urgency. Attackers then impersonate IT helpdesk staff and contact targets via Microsoft Teams, convincing them to install what is claimed to be a patch for blocking spam emails-but is למעשה malware.
The malware toolkit, dubbed “Snow,” consists of multiple coordinated components:
- SnowBelt: a browser extension designed for persistence on the infected system
- SnowGlaze: establishes a WebSocket tunnel between the victim’s machine and the command-and-control (C2) server, supporting SOCKS proxy to relay TCP traffic
- SnowBasin: a Python-based backdoor capable of executing commands via CMD or PowerShell, exfiltrating data, capturing screenshots, and managing files remotely
Once inside the network, attackers conduct internal reconnaissance, scanning SMB and RDP services to move laterally. They then perform LSASS memory dumping to steal credentials and use pass-the-hash techniques to access critical systems such as Domain Controllers. In the final stage, attackers use tools like FTK Imager to extract Active Directory databases and sensitive registry files (SYSTEM, SAM, SECURITY), before exfiltrating the data via tools such as LimeWire for further exploitation or domain-wide compromise.