Overview
- Google’s Mandiant team disclosed Monday that UNC6692 ran a late‑December 2025 operation that flooded inboxes then posed as IT on Microsoft Teams to steer workers to a fake “Mailbox Repair” page.
- The phishing site captured passwords and then pulled down an AutoHotkey program that installed a malicious Chromium extension called Snowbelt to keep access and relay attacker commands.
- GTIG says the Snow ecosystem linked that browser foothold to the network using Snowglaze, a Python tunneler that set up authenticated WebSocket and SOCKS connections, and Snowbasin, a backdoor that ran commands, took screenshots, and staged files.
- Once inside, the intruders dumped passwords from a backup server’s memory, used Pass‑The‑Hash to reach domain controllers, imaged the Active Directory database and registry hives with FTK Imager, and exfiltrated the data via LimeWire.
- Researchers warn the attackers hosted components on reputable cloud services such as an AWS S3 bucket, and advise defenders to correlate browser, endpoint, and cloud logs to spot similar activity, with no public attribution to a state actor.