"This serves two functions: it reinforces the user's belief that the system is legitimate and performs real-time validation, and it ensures that the attacker captures the password twice, significantly reducing the risk of a typo in the stolen data," the Google Threat Intelligence Group (GTIG) wrote.
How the attack begins: Teams, email spam and a fake helpdesk
GTIG says the campaign began in late December 2025 with a "large email campaign" that flooded targeted organisations with message volume. The overload was followed by direct contact inside Microsoft Teams: an individual posing as helpdesk personnel reached out to offer assistance with the supposed spam problem. The purported fix was a link to a "local patch" and a landing page pretending to be a "Mailbox Repair Utility" with a visible "Health Check" button.
The credential trap and staged download
When the victim clicked the Health Check, GTIG reports, the page prompted authentication using the user's email and password and then sent those credentials and associated metadata to an attacker-controlled Amazon S3 bucket. The credential-harvest script employed the quoted "double-entry" trick to reject the first and second password attempts as incorrect — deliberately capturing the password twice. While the user watched a fake mailbox integrity check, files simultaneously downloaded to the machine. "By the time the user receives a 'Configuration completed successfully' message, the attacker has secured the credentials and potentially established a persistent foothold on the endpoint using these staged files," the Googlers wrote.
Snow: a modular malware ecosystem
GTIG attributes the campaign to a group it tracks as UNC6692 and describes a custom malware suite nicknamed Snow that unfolds in stages. The initial staged download contains an AutoHotKey binary and script that runs reconnaissance and installs a malicious Chromium browser extension called SnowBelt (delivered only via social engineering, not the Chrome Web Store).
Snow is described as having three primary components. SnowBelt, a JavaScript backdoor delivered as a Chromium extension, gives initial foothold and persistence through the browser's extension registration system, often hiding under names such as "MS Heartbeat" or "System Heartbeat." SnowGlaze is a Python-based tunneler that runs on Windows and Linux and establishes an authenticated WebSocket tunnel between the victim's internal network and the attackers' command-and-control infrastructure (GTIG cites examples such as a Heroku subdomain). SnowGlaze wraps data in JSON and Base64 and sends it over WebSockets to blend with legitimate encrypted web traffic. SnowBasin is a Python bindshell that runs as a local HTTP server — typically listening on port 8000 — providing interactive command execution, screenshot capture, and data staging for exfiltration. As GTIG put it, "This component is where active reconnaissance and mission completion occur."
How active control and exfiltration work
GTIG outlines how the pieces work together: attacker commands (for example, whoami or net user) travel through the SnowGlaze tunnel, are intercepted by the SnowBelt extension in the browser, then proxied to the SnowBasin local server by HTTP POST requests. SnowBasin executes the commands and relays results back the same way, enabling interactive access and data staging for exfiltration. The group also uses a ZIP archive in the staged files that contains a portable Python executable and libraries, supporting the Python-based components.
What this means for technologists, affected enterprises, and end users
- Technologists and security teams: GTIG's analysis highlights a multi-stage chain that leverages legitimate collaboration tools (Microsoft Teams) and browser extension persistence. Defenders will want to instrument detection around unusual extension installations, WebSocket tunnels to atypical subdomains, and outbound traffic patterns that wrap payloads in JSON/Base64.
- Affected enterprises and procurement leaders: the campaign used attacker-controlled cloud services (Amazon S3 for harvested credentials, Heroku subdomains for C2) and social-engineering delivery rather than public extension stores. Procurement and vendor-risk processes should account for abuse of third-party cloud infrastructure and the possibility of off-store extension deployment.
- End users and helpdesk staff: the social-engineering vector hinges on convincing, timely outreach inside an enterprise collaboration tool. The double-entry password trick and a plausible-looking utility page kept victims engaged long enough for downloads to complete; users should treat unsolicited helpdesk messages that request local installs or direct authentication with particular suspicion.
GTIG also told The Register there is no overlap between UNC6692 and crime groups such as ShinyHunters or Scattered Lapsus$ Hunters despite similar social-engineering tactics; Microsoft had separately warned about criminals abusing Microsoft Teams for helpdesk impersonation. The combined message is concrete: attackers are pairing age-old social engineering with bespoke, modular tooling and cloud-hosted infrastructure to establish persistent access and siphon credentials and data.
The observable facts in GTIG's write-up — the December 2025 mass-mailing, Teams-based impersonation, the double-capture credential script, staged AutoHotKey payloads, and the SnowBelt/SnowGlaze/SnowBasin chain — show a campaign designed to move from plausible helpdesk contact to long-term control inside a network. Whether detection and defensive controls will keep pace with this blend of human deception and modular malware remains the immediate operational question.
