A new threat actor, UNC6692, is described as combining social engineering, abuse of legitimate cloud infrastructure and custom malware in a multistage campaign, according to Google Threat Intelligence Group (GTIG) and Mandiant. The campaign reportedly uses Microsoft Teams, AWS S3 buckets and a custom malware suite, including Snowbelt, Snowglaze and related components, to deliver payloads and move laterally.
The attackers allegedly flood inboxes, then contact targets via Teams as help desk personnel, prompting clicks on links that install a local patch and drop the Snowbelt extension to facilitate further access.
Once inside, they exploit a local administrator account to initiate RDP sessions to a backup server, extract LSASS memory, and use pass-the-hash techniques to reach the domain controller for data exfiltration, with Snowglaze acting as a backdoor and coordinating tools such as Python scripts and a portable Python executable.
The blog post notes that the use of legitimate cloud services for payload delivery and C2 enables attackers to blend with normal traffic and bypass some filters, underscoring the need for visibility across browser, local Python environments, and cloud egress points for early detection. The report was published on 23 April and covered in a Dark Reading article by Alexander Culafi on 27 April 2026.