A sophisticated threat actor group designated UNC6692 has been leveraging Microsoft Teams as a delivery mechanism for a newly discovered malware toolkit called Snow. The campaign demonstrates how legitimate business communication platforms continue to be weaponized by cybercriminals to bypass traditional security defenses.
The Snow malware suite comprises three distinct components designed to establish persistent access and enable unauthorized surveillance. The toolkit includes a browser extension module, a tunneler for creating covert communication channels, and a backdoor component that grants attackers deep system access. This multi-layered approach allows threat actors to maintain long-term presence on compromised networks while evading detection.
UNC6692 employs social engineering tactics to trick users into executing the malware payload. By disguising malicious code as legitimate business communications within Microsoft Teams, the threat group exploits user trust in familiar workplace applications. This method proves particularly effective in enterprise environments where Teams usage is ubiquitous and security awareness around the platform may be lower than for email channels.
The browser extension component of Snow presents significant privacy and security risks, potentially enabling credential theft, session hijacking, and monitoring of sensitive business communications. The tunneler allows attackers to route traffic through compromised systems, effectively hiding their command and control infrastructure. The backdoor component completes the attack chain, providing remote code execution capabilities for deploying additional payloads or conducting lateral movement across networks.
The discovery underscores a broader trend of threat actors pivoting toward communication platforms as attack vectors. As organizations continue to adopt collaborative tools, the attack surface expands proportionally. Security teams are advised to implement robust email and application filtering policies, enforce multi-factor authentication, conduct regular security awareness training, and monitor Teams for suspicious activity patterns. Organizations should also review and restrict browser extension policies to prevent unauthorized installations.
This campaign highlights the ongoing cat-and-mouse game between defenders and attackers, with threats continuously adapting to organizational defenses and shifting to less-monitored communication channels.