Hackers Abuse Microsoft Teams to Deploy Snow Malware and Steal Domain Credentials

Threat group UNC6692 is using social engineering attacks through Microsoft Teams to deploy a custom malware suite called Snow, with the goal of stealing sensitive data after deep network compromise.

According to Mandiant, owned by Google, the campaign starts with email bombing. Attackers flood the victim’s inbox, then contact the target through Microsoft Teams while pretending to be IT helpdesk staff.

The goal is to convince victims that they need support. From there, attackers trick them into granting remote access through tools such as Quick Assist.

This abuse of Microsoft Teams is not new. Microsoft was previously warned that Teams has been used in similar threat campaigns, but the company is now working on new anti-phishing tools expected to roll out to Teams in June 2026.

How the Snow Malware Attack Works

Once attackers gain the victim’s trust, they send a fake “anti-spam patch” link. The victim clicks it and installs a dropper that runs AutoHotkey scripts.

Those scripts deploy SnowBelt, a malicious Chrome extension that runs silently through headless Microsoft Edge. The malware also creates persistence through scheduled tasks and startup folder shortcuts.

The Snow malware suite includes several components. SnowBelt handles persistence and command relay, while SnowGlaze creates a WebSocket tunnel to hide command-and-control traffic and enables SOCKS proxy routing.

SnowBasin works as a Python-based backdoor. It executes CMD and PowerShell commands through a local HTTP server.

UNC6692 Targets Credentials and Domain Controllers

After infection, UNC6692 performs internal reconnaissance by scanning SMB and RDP services. The attackers then move laterally across the network and steal credentials by dumping LSASS memory.

The group also uses pass-the-hash techniques to access more systems and eventually targets domain controllers.

In the final stage, attackers use FTK Imager to extract the Active Directory database. They also steal SYSTEM, SAM, and SECURITY registry hives.

The stolen data gives attackers broad credential access across the domain. Data is then exfiltrated using LimeWire.

Snow Malware Can Steal Data and Control Systems

The Snow malware suite supports remote shell access, file download and management, screenshot capture, data exfiltration, and self-termination on command.

Mandiant’s report also includes Indicators of Compromise and YARA rules to help detect the Snow malware suite.

In other cybersecurity news, CISA has ordered an emergency patch for the BlueHammer zero-day exploit.

Via BleepingComputer