Emerging ThreatsMalware & Ransomware

UNC6692 Exposes Custom Malware Suite via Social Engineering

Analyst 207||Source: Mandiant
Cluttered office desk with computer, papers, and open smartphone showing an email inbox.

"In late December 2025, UNC6692 conducted a large email campaign designed to overwhelm the target with messages, creating a sense of urgency and distraction." — Google Threat Intelligence Group (GTIG)

The initial lure: Microsoft Teams and an S3-hosted "Mailbox Repair Utility"

GTIG traced UNC6692’s entry to a social-engineering sequence that began with a large email blast in late December 2025 and continued with a targeted Microsoft Teams message posing as helpdesk staff. The Teams message pushed a link into an Amazon S3-hosted page (https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=<redacted>.com) that advertised a "Microsoft Spam Filter Updates" local patch and presented a polished "Mailbox Repair and Sync Utility v2.1.5." The landing page enforced environment checks — requiring a ?email= parameter and actively steering victims into Microsoft Edge via the microsoft-edge: URI scheme — and used a staged "Health Check" workflow to harvest credentials.

Credential harvesting: the double-entry trick and staged exfiltration to S3

The phishing page implemented a deliberate psychological play: the credential modal was programmed to reject the first and second password attempts as incorrect, ensuring the victim supplied the password twice. Captured credentials and associated metadata were uploaded directly to attacker-controlled Amazon S3 URLs via asynchronous PUT requests. While the buckets GTIG observed have been taken down, GTIG lists additional malicious S3 hostnames used during the campaign as indicators of compromise.

SNOWBELT: a persistent Chromium extension with cloud-based C2

After initial interaction, the victim’s browser downloaded a renamed AutoHotKey binary and an AutoHotKey script; AutoHotKey’s behavior (running a script that shares the binary’s name) launched activity that led to SNOWBELT, a malicious Chromium extension. SNOWBELT operates as a JavaScript-based backdoor implemented via a service worker (background.js), using Service Worker Alarms and Keep-Alive Tab Injection to remain active. It relies on a time-based DGA for S3-based C2 (seed: 691f7258f212fa8908a8bf06bcf9e027d2177276e13e10ff56bd434ff3755cc4) and registers with the browser Push Notification service using a hard-coded VAPID public key (BJkWCT45mL0uvV3AssRaq9Gn7iE2N7Lx38ZmWDFCjwhz0zv0QSVhKuZBLTTgAijB12cgzMzqyiJZr5tokRzSJu0). SNOWBELT relays commands to a local backdoor and implements native-host bridging and protocol-handler abuse to bypass browser sandboxing.

SNOWGLAZE and SNOWBASIN: tunneling, local bindshells, and modular orchestration

GTIG describes the campaign’s modular "SNOW" ecosystem. SNOWGLAZE is a Python-based tunneler that authenticates to a static WebSocket C2 (wss://sad4w7h913-b4a57f9c36eb[.]herokuapp[.]com:443/ws), wraps data in JSON and Base64, and facilitates SOCKS proxying so arbitrary TCP traffic can be routed through the infected host. SNOWBASIN is a Python bindshell running as a local HTTP server (typically on port 8000) that executes commands (via cmd.exe or powershell.exe), captures screenshots, stages files, and ingests or exfiltrates data. SNOWBELT provides the "eyes" and proxying, SNOWGLAZE provides the external tunnel, and SNOWBASIN provides interactive control and data staging.

Internal reconnaissance, credential theft, and data exfiltration

Telemetry captured a sequence from port scans of 135, 445, and 3389 to the use of Sysinternals PsExec over the SNOWGLAZE tunnel for lateral movement. An attacker-initiated RDP session to a backup server followed. On the backup server, operators used Task Manager to dump LSASS process memory, which GTIG reports was exfiltrated via LimeWire for offline credential extraction. With harvested NTLM hashes, UNC6692 performed Pass-The-Hash to reach domain controllers, downloaded and executed FTK Imager, and wrote NTDS.dit, SAM, SYSTEM, and SECURITY hives to the Domain Administrator’s Downloads folder — then exfiltrated those files via LimeWire. EDR telemetry also recorded targeted screen captures focusing on Microsoft Edge and FTK Imager on domain controllers.

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: GTIG emphasizes correlating browser telemetry, local Python processes, scheduled tasks, and cloud egress. Watch for scheduled tasks that launch headless Edge with --load-extension paths, AutoHotKey execution tied to startup folders, and persistent service-worker-based extensions in Edge extension directories (e.g., Extension Data\SysEvents\background.js).
  • Affected enterprises and procurement leaders: the campaign demonstrates "living off the cloud" — attackers used reputable cloud storage and platform services for payload delivery and exfiltration. Monitor unusual S3 PUT activity, block known malicious S3 hostnames listed in GTIG’s indicators, and treat WebSocket connections to unexpected Heroku subdomains as high risk.
  • End users and support staff: UNC6692 relied on Teams-based social engineering and a convincing "Mailbox Repair" UI. Be wary of external Teams invites offering urgent help and of prompts that force browser changes or ask for repeated password entries.

GTIG concludes this intrusion illustrates a coordinated blend of social engineering, browser-based persistence, cloud-hosted C2, and modular tooling. Indicators of compromise and YARA signatures are available in GTIG’s shared collection to support detection and response.

https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/

Emerging ThreatsNation-StateSocial EngineeringGoogle Threat Intelligence GroupMalware OperationsMicrosoft TeamsUNC6692Amazon S3
Related Intelligence

Continue Reading

Cluttered office desk with desktop computer showing WhatsApp notification, surrounded by financial papers and documents.

WhatsApp Phishing Attack Exploits Business Docs to Hack PCs Globally

Beware of WhatsApp messages from familiar contacts with suspicious attachments - they might be part of a global phishing attack that's spreading rapidly across 11 countries, disguising malware as legitimate business documents. These cunning messages contain hidden threats that can hijack your PC, all thanks to a simple click on a malicious file.

Analyst 207

Attacker Exploits JaredFromSubway MEV Bot in $15 Million Crypto Heist

In a shocking crypto heist, an attacker swiped a whopping $15 million from JaredFromSubway's MEV bot by cleverly manipulating its logic with fake pools and tokens. The attacker tricked the bot into granting access to helper contracts, ultimately draining $15 million in WETH, USDC, and USDT.

Analyst 207
Modern office setting with computer servers and symbolic breach objects.

Icarus Hack Exposes Hundreds of Firms in Supply-Chain Breach

On June 11, a massive supply chain breach occurred when hackers exploited a weak link at Klue, a market intelligence provider used by over 250,000 companies worldwide, gaining access to sensitive data across hundreds of firms. The attackers used a compromised legacy credential to obtain OAuth tokens and infiltrate connected customer environments.

Analyst 207
Rack-mounted networking equipment, including a prominent FortiGate device, in a brightly-lit network operations center.

FortiBleed Campaign Exploits FortiGate Devices to Harvest Credentials

A massive cyber operation, known as FortiBleed, has been secretly targeting over 430,000 FortiGate firewalls worldwide since February 2026, allowing hackers to harvest and crack sensitive VPN and authentication credentials on a huge scale. This alarming campaign has enabled large-scale credential harvesting, putting countless online security systems at risk.

Analyst 207