ACCORDING to Google Threat Intelligence Group (GTIG), a recently discovered threat actor tracked as UNC6692 bombarded victims with emails and impersonated IT support to convince them to run malicious code, with activity seen in December 2025. The campaign delivered the Snow malware family—Snowbelt, Snowglaze, and Snowbasin—through a browser-based chain that began after victims clicked a phishing link on a fake mailbox repair page, then engaged with a fake authentication box to harvest credentials.
A background script downloaded AutoHotKey binaries and scripts, culminating in a Snowbelt-based backdoor that was then delivered as a Chromium extension to enable persistence and facilitate later staging, including two scheduled tasks to load Snowbelt and to kill headless Edge processes. Snowglaze established a secure WebSocket tunnel for C2 communication and proxy operations, while Snowbasin acted as a persistent local HTTP backdoor capable of command execution, screenshots and data harvesting.
GTIG notes that the campaign blended social engineering with technical evasion, hosting malicious components on trusted cloud platforms to bypass network filters, and used Snowglaze to enable a PsExec-based lateral movement and credential access, including attempts to dump LSASS memory and exfiltrate data.