THE report, authored by Mandiant, details a sophisticated multistage intrusion campaign by the threat group UNC6692. This campaign prominently featured social engineering techniques, including impersonation of IT helpdesk employees and a complex custom malware suite for network penetration. Key attack vectors included a phishing email campaign that created a sense of urgency, leading victims to download malware via a link presented as a Microsoft Teams chat invitation.
The malware, categorized into three components—SNOWBELT (browser extension), SNOWGLAZE (Python tunneler), and SNOWBASIN (Python backdoor)—enabled the actors to maintain persistence, exfiltrate credentials, and escalate privileges within the network. The analysis underlines the ongoing evolution of such attacks, showcasing the blend of social engineering with the exploitation of legitimate cloud services to bypass detection, thus emphasizing the need for heightened cybersecurity measures.