The Snow Flurries Campaign: UNC6692’s Social Engineering and Custom Malware Suite

The Snow Flurries Campaign: UNC6692’s Social Engineering and Custom Malware Suite

The Google Threat Intelligence Group (GTIG) recently uncovered a multi-stage intrusion campaign, dubbed Snow Flurries, orchestrated by the newly tracked threat group UNC6692. This operation stands out for its sophistication, combining persistent social engineering, a custom modular malware suite, and a remarkable ability to pivot within victim environments to achieve deep network penetration.

In late December 2025, UNC6692 launched a large email campaign designed to overwhelm targets and create a sense of urgency. This was followed by a phishing message via Microsoft Teams, where attackers impersonated IT helpdesk personnel, offering assistance with the email volume. This social engineering tactic, exploiting users’ inherent trust in enterprise software providers, is a core pillar of UNC6692’s strategy.

Why This Threat is Critical?

The Snow Flurries campaign is a prime example of how modern attackers blend social engineering with technical evasion to gain a foothold into corporate environments. The reliance on legitimate cloud services for payload delivery, data exfiltration, and Command and Control (C2) infrastructure is a critical element of this strategy. By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic.

The infection chain begins with contact via Microsoft Teams, where the victim is prompted to click a link to install a “local patch” that supposedly prevents email spamming. This link downloads a renamed AutoHotKey binary and an AutoHotkey script from an attacker-controlled AWS S3 bucket. The subsequent AutoHotKey execution results in initial reconnaissance commands and the installation of SNOWBELT, a malicious Chromium browser extension.

SNOWBELT’s persistence is established through shortcuts in the Windows Startup folder and scheduled tasks that ensure its continuous execution. This extension is the gateway to the SNOW malware ecosystem, which includes SNOWGLAZE (a Python tunneler) and SNOWBASIN (a Python bindshell), forming a coordinated pipeline that facilitates the attacker’s journey from initial browser-based access to the organization’s internal network. For robust defence against such threats, cybersecurity services are indispensable.

The Profound Impact on Organizations

After gaining initial access, UNC6692 employs Python scripts to scan the local network, establishing PsExec and RDP sessions via the SNOWGLAZE tunnel to enumerate local administrator accounts and move laterally to backup servers. Privilege escalation is achieved by extracting the LSASS (Local Security Authority Subsystem Service) process memory with Windows Task Manager, allowing the acquisition of privileged user credentials.

Armed with elevated user password hashes, UNC6692 uses the Pass-The-Hash technique to move laterally to the network’s domain controllers. Once authenticated, attackers download tools like FTK Imager to extract critical files such as the Active Directory database (NTDS.dit), Security Account Manager (SAM), SYSTEM, and SECURITY registry hives, exfiltrating them from the network. This methodology, detailed in the MITRE ATT&CK framework, demonstrates the breadth of tactics employed.

This “living off the cloud” strategy allows attackers to blend malicious operations into a high volume of encrypted, reputably sourced traffic, making detection based on domain reputation or IP blocking increasingly ineffective. Defenders must now look beyond process monitoring to gain clear visibility into browser activity and unauthorized cloud traffic.

The mfmd.pt Solution: Strengthening Your Digital Defense

The complexity of the Snow Flurries campaign underscores the urgent need for a proactive and multi-faceted approach to cybersecurity. At mfmd.pt, we understand that protection against advanced threats like UNC6692 requires more than point solutions; it demands an integrated strategy encompassing technology, processes, and people.

Our experts in digital marketing consultancy and cybersecurity are poised to help your business fortify its defences. We offer:

• Vulnerability Assessments and Penetration Testing: We identify weaknesses before attackers do.
• Cybersecurity Awareness Training: We empower your employees to recognise and resist social engineering attacks.
• Implementation of Threat Detection and Response Solutions (EDR/XDR): Continuous monitoring for early detection and rapid response.
• Cloud Security Strategies: We protect your assets in cloud environments, ensuring compliance and resilience.

Do not wait for your organization to become the next victim of a sophisticated campaign. Protecting your data and digital infrastructure is an essential investment for your business continuity and success. Contact us today to discuss how we can safeguard your company against the latest cyber threats.

To request our services and strengthen your cybersecurity, contact us via E-mail: [email protected] or WhatsApp: +351 969 238 492.