A newly identified threat group known as UNC6692 has been linked to a sophisticated cyberattack campaign that leverages workplace communication tools to infiltrate enterprise networks without relying on software vulnerabilities. The activity, disclosed on April 22, 2026 by Google Threat Intelligence Group and Mandiant, highlights a shift toward social engineering tactics that exploit user trust in commonly used platforms. Instead of targeting technical flaws, the attackers manipulated employees into interacting with seemingly legitimate messages within trusted enterprise environments.
The campaign began in late December 2025 with an email bombing tactic designed to overwhelm targeted users with a high volume of messages, creating confusion and urgency. While victims attempted to manage the influx, attackers initiated contact through Microsoft Teams, posing as internal IT helpdesk personnel offering assistance. By exploiting external collaboration features within Teams, the attackers convinced users to accept chat requests from unknown sources and disregard visible security warnings. This approach allowed threat actors to establish credibility and guide victims toward the next phase of the attack under the pretense of resolving the email disruption.
Once trust was established, victims were directed to install what was presented as a local fix for their mailbox issues. The link led to a phishing page hosted on Amazon Web Services S3 infrastructure, disguised as a tool named Mailbox Repair and Sync Utility version 2.1.5. The page conducted environment checks, enforced the use of Microsoft Edge, and displayed a simulated system health scan. It intentionally rejected initial login attempts to ensure accurate credential capture before proceeding. During this staged process, malicious components were silently deployed, including an AutoHotkey binary and scripts that installed SNOWBELT, a Chromium based browser extension disguised under names such as MS Heartbeat or System Heartbeat. This malware formed part of a broader framework called SNOW, which also included SNOWGLAZE for tunneling network traffic and SNOWBASIN for executing commands, capturing screenshots, and extracting sensitive data.
Following initial compromise, the attackers expanded their access by scanning for commonly used network ports and leveraging administrative tools to move laterally across systems. Through SNOWGLAZE tunnels, they executed remote commands, identified privileged accounts, and accessed a backup server using remote desktop protocols. On this system, they extracted credential data by dumping LSASS memory and proceeded to escalate access using pass the hash techniques, enabling entry into domain controllers without requiring plaintext passwords. Additional tools such as FTK Imager were used to retrieve critical system files including NTDS.dit and registry hives, which were then exfiltrated using cloud based services like LimeWire. Evidence from endpoint detection systems showed attackers capturing screenshots to verify successful execution of their operations.
A key aspect of this campaign is the use of legitimate cloud platforms such as AWS and Heroku to host payloads, manage command and control activity, and stage stolen data. This approach allows malicious traffic to blend with normal encrypted communications, reducing the effectiveness of traditional detection methods like domain filtering or IP blocking. Security researchers have advised organizations to closely monitor browser extensions, unusual outbound cloud traffic, and automated browser activity. Restricting or carefully managing external access within collaboration tools like Microsoft Teams is also recommended to reduce exposure. The campaign demonstrates how attackers can achieve deep network access through carefully orchestrated social engineering, relying on user interaction rather than exploiting technical weaknesses.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
