Threat group deploys Snow malware via Microsoft Teams, says Mandiant

A threat group tracked as UNC6692 is using social engineering to deploy a new malware suite named Snow, according to Google's Mandiant researchers. The suite includes a browser extension, a tunneler, and a backdoor, and is designed to steal sensitive data after deep network compromise through credential theft and domain takeover. The attacker begins with email bombing tactics to create urgency, then contacts targets via Microsoft Teams while posing as IT helpdesk agents. The victim is prompted to click a link to install a patch that would block email spam. Instead, the victim receives a dropper that executes AutoHotkey scripts loading SnowBelt, a malicious Chrome extension. SnowBelt runs on a headless Microsoft Edge instance so the victim does not notice anything, while scheduled tasks and a startup folder shortcut are created for persistence. The extension serves as a persistence and relay mechanism for commands sent to a Python-based backdoor named SnowBasin. Commands are delivered through a WebSocket tunnel established SnowBasin runs a local HTTP server and executes attacker-supplied CMD or PowerShell commands, relaying results back through the same pipeline. The malware supports remote shell access, data exfiltration, file download, screenshot capturing, and basic file management. Post-compromise, the attackers performed internal reconnaissance, scanning for SMB and RDP services, then moved laterally. They dumped LSASS memory to extract credentials and used pass-the-hash techniques to reach domain controllers. At the final stage, they deployed FTK Imager to extract the Active Directory database and registry hives, exfiltrating the files using LimeWire.