UNC 6692 has been observed using social engineering via Microsoft Teams to deploy a custom malware suite on compromised hosts, with attackers impersonating IT helpdesk staff to lure victims into accepting a Teams chat invitation. According to Mandiant, the group’s activity includes a phishing chain that begins with a spam‑heavy inbox flood and is followed by a Teams-based impersonation to offer assistance with the spam problem.
The threat actor’s delivery chain uses a phishing page named “Mailbox Repair and Sync Utility v2.1.5,” which leads to the download of an AutoHotkey script from a threat actor‑controlled AWS S3 bucket and installs SNOWBELT, a modular backdoor that in turn drops SNOWGLAZE, SNOWBASIN, and other payloads, including a ZIP containing a portable Python executable and libraries.
The attackers aim to trick victims into installing legitimate remote‑monitoring tools such as Quick Assist or Supremo Remote Desktop to enable hands‑on access and data exfiltration, with further post‑exploitation actions including lateral movement and credential harvesting. ReliaQuest researchers John Dilgen and Alexa Feminella noted that from March 1 to April 1, 2026, 77% of observed incidents targeted senior‑level employees, up from 59% in the first two months of 2026, illustrating a focus on elite targets.
The report also highlights that this combination of inbox bombardment and Microsoft Teams impersonation mirrors tactics used by former Black Basta affiliates, illustrating evolving abuse of trusted channels for initial access and persistence.