Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

    Friday, April 24, 2026 In: Threat Research Print

    Date: 04/24/2026

    Severity: High

    Summary

    UNC6692 conducted a multi-stage intrusion campaign using persistent social engineering, impersonating IT helpdesk staff via Microsoft Teams to trick victims into installing a fake fix for email issues. The attack delivered AutoHotKey-based loaders that executed scripts and deployed a malicious browser extension (SNOWBELT) for persistence and control. This enabled the download of additional tools such as SNOWGLAZE and SNOWBASIN, allowing deeper network access and reconnaissance. The campaign highlights a blend of social engineering, trusted platform abuse, and custom modular malware to achieve stealthy and sustained compromise. 

    Indicators of Compromise (IOC) List

    Domains/Urls

    service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com

    cloudfront-021.s3.us-west-2.amazonaws.com

    wss://sad4w7h913-b4a57f9c36eb.herokuapp.com/ws

    service-page-11369-28315-outlook.s3.us-west-2.amazonaws.com

    Hash

    2fa987b9ed6ec6d09c7451abd994249dfaba1c5a7da1c22b8407c461e62f7e49

    c8940de8cb917abe158a826a1d08f1083af517351d01642e6c7f324d0bba1eb8

    7f1d71e1e079f3244a69205588d504ed830d4c473747bb1b5c520634cc5a2477

    ca390b86793922555c84abc3b34406da2899382c617f9dcf83a74ac09dd18190

    6e6dab993f99505646051d2772701e3c4740096ff9be63c92713bcb7fcddf9f7

    de200b79ad2bd9db37baeba5e4d183498d450494c71c8929433681e848c3807f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "service-page-11369-28315-outlook.s3.us-west-2.amazonaws.com" or url like "service-page-11369-28315-outlook.s3.us-west-2.amazonaws.com" or siteurl like "service-page-11369-28315-outlook.s3.us-west-2.amazonaws.com" or domainname like "cloudfront-021.s3.us-west-2.amazonaws.com" or url like "cloudfront-021.s3.us-west-2.amazonaws.com" or siteurl like "cloudfront-021.s3.us-west-2.amazonaws.com" or domainname like "service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com" or url like "service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com" or siteurl like "service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com" or domainname like "wss://sad4w7h913-b4a57f9c36eb.herokuapp.com/ws" or siteurl like "wss://sad4w7h913-b4a57f9c36eb.herokuapp.com/ws" or url like "wss://sad4w7h913-b4a57f9c36eb.herokuapp.com/ws" 

    Detection Query 2 :

    sha256hash IN ("c8940de8cb917abe158a826a1d08f1083af517351d01642e6c7f324d0bba1eb8","2fa987b9ed6ec6d09c7451abd994249dfaba1c5a7da1c22b8407c461e62f7e49","7f1d71e1e079f3244a69205588d504ed830d4c473747bb1b5c520634cc5a2477","ca390b86793922555c84abc3b34406da2899382c617f9dcf83a74ac09dd18190","6e6dab993f99505646051d2772701e3c4740096ff9be63c92713bcb7fcddf9f7","de200b79ad2bd9db37baeba5e4d183498d450494c71c8929433681e848c3807f")

    Reference: 

    https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/              


    Tags

    MalwareThreat ActorSocial EngineeringMicrosoftStealer

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.