A group of attackers identified as UNC6692 has launched a campaign of social engineering and deep exploitation of networks that deserves attention for its combination of psychological deception and personalized tools to maintain access and extract credentials on a large scale.
The entry door of these intrusions is not an unknown technical vulnerability, but human manipulation: the attackers generate a volume of emails to create a sense of urgency and then contact the victims via Microsoft Teams posing as technical support, a tactic that facilitates the installation of malicious devices with the appearance of "patches" or administrative utilities. For a technical analysis and the indicators that researchers have published, it is worth reviewing Mandiant's report on Google's blog: https: / / cloud / google.com / blog / topics / amenat-intelligence / unc6692-social-engineering-custom-malware.
The uncovered suite, nicknamed "Snow," combines three main components: a browser extension that acts as a persistent link on the infected computer, a WebSocket-based tunnel that hides traffic and works as a SOCKS proxy, and a Python backdoor that exposes a local HTTP server to run remote commands. The initial vector includes a dropper that runs AutoHotkey scripts and launches the browser in "headless" mode so that the user does not perceive visible activity, while classic mechanisms such as programmed tasks and access in the home folder ensure persistence.
The post-intrusion procedure follows dangerously effective patterns: internal recognition to locate exposed SMB and RDP, overturned by LSASS memory to steal credentials and use techniques such as pass-the-hash to move laterally to domain controllers. In the final stages, the attackers managed to extract the Active Directory database and sensitive files from the system, sending them out of the network through non-conventional channels. These steps allow the adversary a deep control and the ability to take full domains, which makes the intrusion an organizational commitment.
The implications are clear: not enough to protect the perimeter. An initial access caused by social engineering can quickly escalate to loss of control of the corporate directory and massive theft of credentials, which compromises the confidentiality and integrity of critical systems. In addition, the use of legitimate or legitimate-looking tools (AutoHotkey, browser extensions, headless navigation) complicates detection by traditional signatures.
Simultaneous technical and operational measures should be taken to mitigate such attacks. At the user and support level: continuously educate on the identity verification of helpdesk staff, distrust links that ask to install "patches" from unexpected communications and avoid giving remote access without prior validation. At the technical level: apply multifactor in accounts with privileges, restrict and audit the use of remote assistance tools, block or control the execution of unapproved scripts and binary (including AutoHotkey) by application policies, and segment the network to limit side movements.
From the detection, security equipment should pay attention to specific signals: headless browser processes initiated by unusual users, recurrent creation of scheduled tasks or login access that do not match authorized changes, outgoing WebSocket connections to unknown destinations and any traffic that appears to act as a proxy SOCKS. Correlate these events with memory-dumping attempts or abnormal activity in domain controllers increases the likelihood of identifying an intrusion before mass exfiltration.
If an intrusion is confirmed, the response should include isolation of the affected host, preservation of evidence (memory capture and disk dumping), analysis of the registered and compromised Active Directory hives, and forced rotation of privileged credentials. Depending on the scope, the remediation may require the reconstruction of domain controllers and the implementation of a recovery plan that includes the revocation of exposed certificates and credentials; coordination with detection and response providers; and consultation with IoC and YARA rules published in technical reports will help to accelerate cleaning.
For equipment that wish to deepen the characterization of tactics and techniques used by adversaries such as UNC6692, the MITRE ATT & CK matrix remains a useful reference for mapping detection and controls: https: / / attack.mitre.org /. Complementing this reference with the practical recommendations and IoC published by researchers maximizes the response and closing capacity of exploited vectors.
In short, the Snow campaign is a reminder that the combination of social engineering, custom tools and abuse of legitimate channels can turn a small human error into a corporate disaster. Effective defence requires ongoing training, strict technical controls on implementation and access, network segmentation and well-tested response procedures to prevent a false "patch" from becoming the attacker's master key.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...