{
	"id": "e9e47cea-a4af-4524-9540-ad11451c88c7",
	"created_at": "2026-05-01T03:10:40.549794Z",
	"updated_at": "2026-05-01T03:10:50.933835Z",
	"deleted_at": null,
	"sha1_hash": "2aa556c2d121882837f2c0e1285fd78d8ee171a0",
	"title": "How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 630359,
	"plain_text": "How UNC6692 Employed Social Engineering to Deploy a Custom\r\nMalware Suite\r\nBy Mandiant\r\nPublished: 2026-04-23 · Archived: 2026-05-01 02:03:35 UTC\r\nWritten by: JP Glab, Tufail Ahmed, Josh Kelley, Muhammad Umair\r\nIntroduction \r\nGoogle Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group,\r\nUNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the\r\nvictim’s environment to achieve deep network penetration. \r\nAs with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees,\r\nconvincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization. The\r\nUNC6692 campaign demonstrates an interesting evolution in tactics, particularly the use of social engineering, custom\r\nmalware, and a malicious browser extension, playing on the victim’s inherent trust in several different enterprise software\r\nproviders. \r\nThreat Details\r\nIn late December 2025, UNC6692 conducted a large email campaign designed to overwhelm the target with messages,\r\ncreating a sense of urgency and distraction. Following this, the attacker sent a phishing message via Microsoft Teams,\r\nposing as helpdesk personnel offering assistance with the email volume.\r\nInfection Chain\r\nThe victim was contacted through Microsoft Teams and was prompted to click a link to install a local patch that prevents\r\nemail spamming. Once clicked, the user’s browser opened an HTML page and ultimately downloaded a renamed\r\nAutoHotKey binary and an AutoHotkey script, sharing the same name, from a threat actor-controlled AWS S3 bucket.\r\n\"url\": \"https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=\u003credacted\u003e.com\",\r\n\"description\": \"Microsoft Spam Filter Updates | Install the local patch to protect your account from email spamming\",\r\nFigure 1: Snippet from MS Team Logs\r\nIf the AutoHotkey binary is named the same as a script file in its current directory, AutoHotkey will automatically run the\r\nscript with no additional command line arguments. Evidence of AutoHotKey execution was recorded immediately following\r\nthe downloads resulting in initial reconnaissance commands and the installation of SNOWBELT, a malicious Chromium\r\nbrowser extension (not distributed through the Chrome Web Store). Mandiant was unable to recover the initial AutoHotKey\r\nscript. \r\nThe persistence of SNOWBELT was established in multiple ways. First, a shortcut to an AutoHotKey script was added to\r\nthe Windows Startup folder, which verified SNOWBELT was running and that a Scheduled Task was present.\r\nif !CheckHeadlessEdge(){\r\n try{\r\n taskService:=ComObject(\"Schedule.Service\")\r\n taskService.Connect()\r\n rootFolder:=taskService.GetFolder(\"\\\")\r\n if FindAndRunTask(rootFolder){\r\n Sleep 10000\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 1 of 16\n\nif CheckHeadlessEdge(){\r\n ExitApp\r\n }\r\n }\r\n }\r\n Run 'cmd /c start \"\" \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --user-data-dir=\"%LOCALAPPDATA%\\Mic\r\n}\r\nExitApp\r\nFigure 2: Snippet from AutoHotKey script to verify SNOWBELT was running and to start it if not\r\nSecond, two additional scheduled tasks were installed. One task to start a windowless Microsoft Edge process that loads the\r\nSNOWBELT extension and another to identify and terminate Microsoft Edge processes that do not have\r\nCoreUIComponents.dll loaded.\r\n\u003cExec\u003e\r\n \u003cCommand\u003e\r\n \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"\r\n \u003c/Command\u003e\r\n \u003cArguments\u003e\r\n --user-data-dir=\"C:\\Users\\\u003credacted\u003e\\AppData\\Local\\Microsoft\\Edge\\System Data\"\r\n --no-first-run\r\n --load-extension=\"C:\\Users\\\u003credacted\u003e\\AppData\\Local\\Microsoft\\Edge\\Extension Data\\SysEvents\"\r\n --headless=new --disable-sync\r\n \u003c/Arguments\u003e\r\n\u003c/Exec\u003e\r\nFigure 3: Snippet from the scheduled task to start the SNOWBELT extension windowless Microsoft Edge\r\nMicrosoft Edge processes without CoreUIComponents.dll are typically headless. The threat actor uses this command to\r\nessentially “clean up” headless Edge processes that execute their malware.\r\n\u003cExec\u003e\r\n \u003cCommand\u003ecmd\u003c/Command\u003e\r\n \u003cArguments\u003e\r\n /c \"for /f \"tokens=2\" %p in ('tasklist /M SHELL32.dll ^| findstr \"msedge.exe\"') do @(tasklist /M CoreUIComponents.dll\r\n \u003c/Arguments\u003e\r\n\u003c/Exec\u003e\r\nFigure 4: Snippet from the scheduled task to check for CoreUIComponents.dll\r\nUsing the SNOWBELT extension, UNC6692 downloaded additional files including SNOWGLAZE, SNOWBASIN,\r\nAutoHotkey scripts, and a ZIP archive containing a portable Python executable and required libraries.\r\nInternal Recon and Lateral Movement\r\nAfter gaining initial access, process execution telemetry recorded UNC6692 using a Python script to scan the local network\r\nfor ports 135, 445, and 3389. Following internal port scanning, the threat actor established a Sysinternals PsExec session to\r\nthe victims system via the SNOWGLAZE tunnel, and executed commands to enumerate local administrator accounts. Using\r\nthe local administrator account, the threat actor initiated an RDP session via the SNOWGLAZE tunnel from the victim\r\nsystem to a backup server. Though not directly observed, the threat actor may have acquired the local administrator accounts\r\ncredentials via multiple attack paths such as authenticated Server Message Block (SMB) share enumeration.\r\nEscalate Privileges\r\nAfter gaining access to the backup server the threat actor utilized the local administrator account to extract the system's\r\nLSASS process memory with Windows Task Manager. Microsoft Windows Local Security Authority Subsystem Service\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 2 of 16\n\n(LSASS) process lsass.exe enforces security policy and contains usernames, passwords and hashes for accounts that have\r\naccessed the system. After extracting the process memory, UNC6692 exfiltrated it via LimeWire. With the process memory\r\nout of the victim environment UNC6692 is able to use offensive security tools to extract the credentials while not having to\r\nworry about being detected. \r\nComplete Mission\r\nNow armed with the password hashes of elevated users, UNC6692 used Pass-The-Hash to move laterally to the network's\r\ndomain controllers. Pass-The-Hash is a common technique used by threat actors where the NTLM hash is passed to another\r\nsystem, instead of providing the account password, allowing for authentication via NTLM. Once authenticated to the\r\nDomain Controller, the threat actor opened Microsoft Edge, and downloaded a ZIP archive containing FTK Imager to the\r\nDomain Administrator’s \\Downloads folder. The threat actor executed FTK Imager and mounted the local storage drive.\r\nSubsequently, FTK Imager wrote the Active Directory database file (NTDS.dit), Security Account Manager (SAM) ,\r\nSYSTEM, and SECURITY registry hives to the \\Downloads folder. The extracted files were then exfiltrated from the\r\nnetwork via LimeWire. Finally, EDR telemetry logged the threat actor performing screen captures on the Domain\r\nControllers, specifically targeting in-focus instances of Microsoft Edge and FTK Imager.\r\nFigure 5: UNC6692 attack lifecycle\r\nTHE SNOW Ecosystem\r\nPhishing Landing Page\r\nThe original phishing link ( https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?\r\nemail=\u003credacted\u003e.com ) delivered via Microsoft Teams directs the victim to a landing page masquerading as a \"Mailbox\r\nRepair Utility.\" This interface is designed to elicit user engagement through various on-screen buttons.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 3 of 16\n\nFigure 6: The landing page masquerading as an official \"Mailbox Repair and Sync Utility v2.1.5.\"\r\nPhase 1: Environment Enforcement and Anti-Analysis\r\nThe attacker used a gatekeeper script designed to ensure the payload is delivered only to intended targets while evading\r\nautomated security sandboxes. Upon loading, the landing page executes an init() function that inspects the URL for a\r\nmandatory ?email= parameter. If this parameter is absent, the page immediately redirects to about:blank.  \r\nThe script also checks the victim’s browser. If the user is not using Microsoft Edge, the page displays a persistent overlay\r\nwarning. This forces the user to click an \"Open in Edge\" button, which triggers the microsoft-edge: URI scheme. This\r\nensures the victim is moved from potentially secure mobile or third-party browser environments into a specific workspace\r\nwhere the attacker’s exploits are most effective.\r\nPhase 2: Credential Harvesting via Social Engineering\r\nOnce the environment is established, the page presents a professional-looking \"Configuration Management Panel\"\r\nmasquerading as an official \"Mailbox Repair and Sync Utility.\" The primary hook is a \"Health Check\" button that, when\r\nclicked, triggers an \"Authentication Required\" modal.\r\nThe harvesting script, handleAuthFormSubmit, employs a \"double-entry\" psychological trick. It is programmed to reject the\r\nfirst and second password attempt as incorrect. This serves two functions: it reinforces the user’s belief that the system is\r\nlegitimate and performs real-time validation, and it ensures that the attacker captures the password twice, significantly\r\nreducing the risk of a typo in the stolen data. A screenshot of authentication is shown in Figure 7, and the email supplied is\r\nentered by default.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 4 of 16\n\nFigure 7: The credential harvesting prompt triggered by the \"Health Check\" button\r\nPhase 3: Data Exfiltration and Distraction Sequences\r\nUpon successful submission, the script executes an asynchronous PUT request using AWS URLs. The validated credentials\r\nand metadata are uploaded directly to an attacker-controlled Amazon S3 bucket (e.g., service-page-18968-2419-\r\noutlook.s3.us-west-2.amazonaws.com ), which have since been taken down. These buckets serve as the command and\r\ncontrol (C2) infrastructure and represent critical indicators of compromise (IOCs).\r\nTo mask this background activity and prevent user suspicion, the script initiates a startProgressBar function. This displays a\r\nscripted distraction sequence featuring fake technical tasks such as \"Parsing configuration data\" and \"Checking mailbox\r\nintegrity.\" This manipulation keeps the victim engaged until the data transfer is complete.\r\nFigure 8: A scripted distraction sequence used to mask the background exfiltration of stolen data\r\nPhase 4: Malware Staging and Endpoint Foothold\r\nThe final stage involves the delivery of secondary malicious payloads referenced within the CONFIG object of the script.\r\nWhile the progress bar runs, the site is prepared to deliver files seen in Table 1.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 5 of 16\n\nButton Clicked\r\nFile\r\nDownloaded\r\nType / Risk\r\nProfile 1.3 Protected.ahk\r\nAutoHotKey Script: Not found during the investigation, but suspected to\r\ninstall SNOWBELT.\r\nProfile B5 profileB5.txt Likely a configuration file for the malware.\r\nComponent\r\nVerification\r\nRegSrvc.exe AutoHotKey Executable: Masquerading as a \"Registration Service.\"\r\nHealth Check N/A\r\nPrompts the user to input email credentials. Exfiltrates the credentials to\r\nAmazon S3 bucket.\r\nTable 1: Buttons on the landing page\r\nBy the time the user receives a \"Configuration completed successfully\" message, the attacker has secured the credentials and\r\npotentially established a persistent foothold on the endpoint using these staged files.\r\nThe SNOW malware ecosystem, attributed to the threat cluster UNC6692, operates as a modular ecosystem comprising\r\nthree primary components: SNOWBELT, SNOWGLAZE, and SNOWBASIN. Rather than functioning as isolated tools,\r\nthese components form a coordinated pipeline that facilitates an attacker's journey from initial browser-based access to the\r\ninternal network of the organization.\r\nFigure 9: The SNOW ecosystem\r\n1.SNOWBELT (Browser Extension)\r\nSNOWBELT serves as the initial foothold and the primary \"eyes\" of the operation. It is a JavaScript-based backdoor\r\ndelivered as a Chromium browser extension, often masquerading under names like \"MS Heartbeat\" or \"System Heartbeat\". \r\nRather than being available through the Chrome Web Store, the extension is deployed through social engineering tactics.\r\nRole: It is designed to intercept commands and send them to SNOWBASIN for execution . It maintains persistence\r\nvia the browser's extension registration system and uses Service Worker Alarms and Keep-Alive Tab Injection (via\r\nhelper.html) to ensure it remains active whenever the browser is running.\r\nFunctionality: By relaying commands from the threat actor to SNOWBASIN, SNOWBELT provides authenticated\r\naccess to the environment. This allows the attacker to move laterally and escalate privileges without the need for\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 6 of 16\n\nconstant re-authentication.\r\n2.SNOWGLAZE (Python Tunneler)\r\nOnce a foothold is established, SNOWGLAZE is deployed to manage the logistics of external communication.\r\nSNOWGLAZE is a Python-based tunneler that can operate in both Windows and Linux environments.\r\nRole: Its primary function is to create a secure, authenticated WebSocket tunnel between the victim's internal\r\nnetwork and the attacker's command-and-control (C2) infrastructure, such as a Heroku subdomain. It facilitates\r\nSOCKS proxy operations, allowing arbitrary TCP traffic to be routed through the infected host.\r\nFunctionality: SNOWGLAZE masks malicious traffic by wrapping data in JSON objects and Base64 encoding it for\r\ntransfer via WebSockets. This makes the activity appear as standard encrypted web traffic. When attackers wish to\r\ninteract with backdoors like SNOWBASIN or exfiltrate staged data, traffic is routed through this established tunnel.\r\n3.SNOWBASIN (Python Bindshell)\r\nWhile SNOWBELT monitors the user and SNOWGLAZE bridges the network gap, SNOWBASIN provides the functional\r\ninteractive control over the infected system.\r\nRole: It acts as a persistent backdoor that operates as a local HTTP server (typically listening on port 8000). It\r\nenables remote command execution via cmd.exe or powershell.exe, screenshot capture, and data staging for\r\nexfiltration.\r\nFunctionality: This component is where active reconnaissance and mission completion occur. Attacker commands\r\n(such as whoami or net user) are sent through the SNOWGLAZE tunnel, intercepted by the SNOWBELT extension,\r\nand then proxied to the SNOWBASIN local server via HTTP POST requests. SNOWBASIN executes these\r\ncommands and relays the results back through the same pipeline to the attacker.\r\nMalware Analysis \r\nSNOWBELT\r\nSNOWBELT is a JavaScript-based backdoor implemented as a Chromium browser extension. Its lifecycle begins with the\r\nexecution of the background.js Service Worker upon installation, which leverages the browser's extension registration\r\nsystem for persistence. To ensure continuous operation while the browser is active, the malware utilizes Service Worker\r\nAlarms (agent-heartbeat) and Keep-Alive Tab Injection (helper.html).\r\nUpon initialization, the malware generates a unique identity using the prefix fp-sw- followed by a UUID. It then employs a\r\ntime-based DGA to calculate C2 URLs. Using a hard-coded seed value\r\n( 691f7258f212fa8908a8bf06bcf9e027d2177276e13e10ff56bd434ff3755cc4 ), it generates a registry URL for an S3 bucket\r\nwithin 30-minute time slots. These URLs follow a specific structural pattern:\r\nhttps://[a-f0-9]{24}-[0-9]{6,7}-{0-9}{1}.s3.us-east-2.amazonaws[.]com\r\nThe manifest retrieved from this registry is decrypted via AES-GCM using a key derived from SHA256(SEED + \"|\" +\r\ntimeslot).\r\nFor low-latency C2, SNOWBELT registers with the browser's Push Notification service. This is achieved using a hard-coded\r\nVAPID Public Key:\r\nBJkWCT45mL0uvV3AssRaq9Gn7iE2N7Lx38ZmWDFCjwhz0zv0QSVhKuZBLTTgAijB12cgzMzqyiJZr5tokRzSJu0\r\nThis setup provides an asynchronous channel that allows attackers to \"wake up\" the Service Worker immediately via\r\nauthenticated Push messages, bypassing standard polling. Additionally, the malware supports real-time interaction through a\r\npersistent REGISTRY_WEBSOCKET_URL connection.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 7 of 16\n\nSNOWBELT functions in coordination with SNOWBASIN, a backdoor acting as a local web server (typically on port\r\n8000). It relays decrypted C2 commands—such as command, buffer, flush, and commit—to SNOWBASIN via HTTP POST\r\nrequests, effectively proxying shell commands to the host system.\r\nThe malware also includes mechanisms to bypass the browser sandbox:\r\n1. Native Host Bridge (open_native_messaging): Uses chrome.runtime.connectNative to establish I/O pipes with\r\nlocal applications for issuing privileged commands.\r\n2. Protocol Handler Abuse (open_uri): Employs dream.html and dream.js to trigger custom URI schemes in new tabs,\r\ntargeting vulnerabilities in third-party desktop applications.\r\nExfiltration is managed by the sendJsonDataToS3 function, which encrypts data with AES-GCM (Key: SHA256(SEED +\r\n\"|ping|\" + bucket + \"|\" + objectKey)) before uploading to S3. The backdoor's command set is summarized in Table 2.\r\nCommand Type Description\r\ncommand Relayed: Decrypts and POSTs command text to SNOWBASIN; exfiltrates response to C2.\r\nbuffer Relayed: Forwards file path payloads to local buffer endpoint.\r\nflush Relayed: Triggers a data flush on the local server.\r\ncommit Relayed: Sends URL and path data for local processing.\r\nstop_server Relayed: Shutdown signal for the local SNOWBASIN instance.\r\nscreenshot Relayed: Requests a screen capture from the host.\r\npayload Internal: Downloads files using chrome.downloads; supports URLs and base64 blobs.\r\nopen_native_messaging Internal: Direct connection to native host apps via Chrome APIs.\r\nopen_uri Internal: Triggers external protocol handlers via helper pages.\r\ndelete_cache Internal: Removes downloaded files from the system.\r\nwebsocket_control Internal: Controls the state of WebSocket connectivity.\r\nping Internal: Provides heartbeats and status updates to the C2.\r\nTable 2: SNOWBELT commands\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 8 of 16\n\nFinally, SNOWBELT implements a feedback loop by monitoring chrome.downloads.onChanged. If a download is blocked\r\n(e.g., FILE_VIRUS_INFECTED), the malware reports the error back to the S3-based C2.\r\nSNOWBASIN \r\nSNOWBASIN is a Python-based backdoor that operates as a local HTTP server on ports 8000, 8001, or 8002. Its core\r\ncapabilities include command execution, screenshot capture, and data exfiltration. The malware also enables operators to\r\nmanage files by downloading or deleting them, and it provides the capability to terminate active connections. SNOWBELT\r\nrelays commands to this malware by sending HTTP requests to localhost:8000.\r\nIt turns the victim's computer into a command-and-control (C2) node that can be controlled via HTTP requests. It is\r\ndesigned to run on Windows (evidenced by os.chdir('C:\\\\') and cmd.exe calls) and allows a remote actor to execute\r\ncommands, steal files, and take screenshots.\r\nEndpoint Function Description\r\n/stream Remote Shell\r\nReceives a command and executes it via cmd.exe or powershell.exe. It returns the\r\nSTDOUT/STDERR results to the attacker.\r\n/buffer\r\nFile\r\nExfiltration\r\nIf a file path is provided, it reads the file, encodes it in Base64, and sends it back. If a\r\nfolder is provided, it returns a full directory listing\r\n/flush File Deletion Relayed. Signals http://localhost[:]8000/flush to flush buffered data.\r\n/commit File Ingress\r\nDownloads a file from a provided URL and saves it to a specific path on the local disk.\r\nIt bypasses SSL certificate verification (CERT_NONE).\r\n/capture\r\nTake\r\nScreenshots\r\nUses the mss and PIL libraries to take a screenshot of all monitors and send the image\r\nback as a Base64 string.\r\n/gc\r\nSelf-Termination\r\nShuts down the server instance, effectively \"\"killing\"\" the backdoor's connection.\r\nTable 3: SNOWBASIN endpoints\r\nSNOWGLAZE\r\nThe network tunneler SNOWGLAZE, developed in Python, facilitates the routing of arbitrary TCP traffic through a\r\ncompromised system by establishing a WebSocket connection to a static C2 host using hard-coded credentials.\r\nThe script is designed for cross-platform execution on both Windows and Linux, utilizing environment-specific behaviors\r\nfor each. In Windows environments, it runs as a foreground process manageable via standard keyboard interrupts (Ctrl-C).\r\nConversely, on Linux, it operates as a background daemon and includes specific logic to handle SIGINT and SIGTERM\r\nsignals for orderly shutdowns.\r\nTo establish communication, the malware targets the C2 server at wss://sad4w7h913-\r\nb4a57f9c36eb[.]herokuapp[.]com:443/ws, masquerading its traffic with a Microsoft Edge User-Agent string. If the initial\r\nconnection fails, the script employs an incremental backoff strategy, starting at 5 seconds and increasing by 5-second\r\nintervals up to a 300-second maximum. Upon a successful WebSocket handshake, it transmits the following Auth payload:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 9 of 16\n\n{\r\n \"type\": \"auth\",\r\n \"login\": \"\u003credacted\",\r\n \"password\": \"\u003credacted\",\r\n \"uuid\": \"\u003credacted\u003e\"\r\n}\r\nFollowing authentication, the script sends a \"register\" type message with no payload, followed by an \"agent_info\" JSON\r\nrecord. Although the \"info\" field within this record is intended to carry the public IP address, it remains unpopulated due to\r\nimproper implementation in the script.\r\nOnce fully connected, the malware listens for JSON-formatted commands. The supported \"type\" values include:\r\nping\r\nPrompts the script to return a \"type\": \"pong\" JSON object.\r\nagent_public_ip\r\nIntended to report the host's public IP via an agent_info structure; however, the IP field is consistently blank in\r\ncurrent versions.\r\nsocks_connect\r\nRequests a new SOCKS proxy connection using a unique conn_id provided by the operator to track the\r\nsession. The request format is as follows:\r\n{\r\n \"type\": \"socks_connect\",\r\n \"conn_id\": \"\u003cunique_connection_id\u003e\",\r\n \"target_host\": \"example.com\",\r\n \"target_port\": 80\r\n}\r\nExecution triggers an asynchronous worker thread that manages the TCP-to-WebSocket data transfer, utilizing\r\nBase64 encoding and JSON encapsulation with the socks_data type.\r\nsocks_data\r\nFacilitates bidirectional data exchange between the WebSocket and the TCP socket. Data is Base64-encoded\r\nwithin the data field of the following structure:\r\n {\r\n \"type\": \"socks_data\",\r\n \"conn_id\": \"\u003cunique_connection_id\u003e\",\r\n \"data\": \"bG9yZW0gaXBzdW0=\"\r\n }\r\nsocks_close\r\nTerminates the specific proxy stream identified by the given conn_id.\r\ndisconnect\r\nServes all active proxy connections and terminates script execution.\r\nOutlook \u0026 Implications\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 10 of 16\n\nThe UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a\r\nfoothold into environments. A critical element of this strategy is the systematic abuse of legitimate cloud services for\r\npayload delivery and exfiltration, and for command-and-control (C2) infrastructure. By hosting malicious components on\r\ntrusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of\r\nlegitimate cloud traffic. \r\nThis \"living off the cloud\" strategy allows attackers to blend malicious operations into a high volume of encrypted, reputably\r\nsourced traffic, making detection based on domain reputation or IP blocking increasingly ineffective. Defenders must now\r\nlook beyond process monitoring to gain clear visibility into browser activity and unauthorized cloud traffic. As threat actors\r\ncontinue to professionalize these modular, cross-platform methodologies, the ability to correlate disparate events across the\r\nbrowser, local Python environments, and cloud egress points will be critical for early detection.\r\nIndicators of Compromise (IOCs)\r\nTo assist the wider community in hunting and identifying the activity outlined in this blog post, we have included IOCs in a\r\nfree GTI Collection for registered users.\r\nNetwork Indicators\r\nIndicator Description\r\nservice-page-25144-30466-outlook.s3.us-west-2.amazonaws[.]comHosted the phishing site and initial AutoHotKey\r\npayloads\r\ncloudfront-021.s3.us-west-2.amazonaws[.]com SNOWBELT C2\r\nwss://sad4w7h913-b4a57f9c36eb.herokuapp[.]com/ws\r\nHard-coded WebSocket Secure URL within\r\nSNOWGLAZE\r\nservice-page-11369-28315-outlook[.]s3[.]us-west-2[.]amazonaws[.]com\r\nDomain for URL used to upload a text file\r\nFile Indicators\r\nFile Name Description SHA-256 Hash\r\nC:\\ProgramData\\log SNOWGLAZE 2fa987b9ed6ec6d09c7451abd994249dfaba1c5a7da1c22b8407c461e\r\nC:\\ProgramData\\log SNOWBASIN c8940de8cb917abe158a826a1d08f1083af517351d01642e6c7f324d0\r\nC:\\Users\\\r\n\u003cuser\u003e\\AppData\\Local\\Microsoft\\Edge\\Extension\r\nData\\SysEvents\\background.js\r\nSNOWBELT\r\nService worker\r\n7f1d71e1e079f3244a69205588d504ed830d4c473747bb1b5c520634c\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 11 of 16\n\nC:\\Users\\\r\n\u003cuser\u003e\\AppData\\Local\\Microsoft\\Edge\\Extension\r\nData\\SysEvents\\dream.js\r\nSNOWBELT\r\nJS resource\r\nca390b86793922555c84abc3b34406da2899382c617f9dcf83a74ac09\r\nC:\\Users\\\r\n\u003cuser\u003e\\AppData\\Local\\Microsoft\\Edge\\Extension\r\nData\\SysEvents\\dream.html\r\nSNOWBELT\r\nHTML\r\nresource\r\n6e6dab993f99505646051d2772701e3c4740096ff9be63c92713bcb7f\r\nC:\\Users\\\r\n\u003cuser\u003e\\AppData\\Local\\Microsoft\\Edge\\Extension\r\nData\\SysEvents\\helper.html\r\nSNOWBELT\r\nHTML\r\nresource\r\nde200b79ad2bd9db37baeba5e4d183498d450494c71c8929433681e84\r\nYARA Rules\r\nSNOWGLAZE\r\nrule G_Tunneler_SNOWGLAZE_1 {\r\n meta:\r\n author = \"Google Threat Intelligence Group (GTIG)\"\r\n platforms = \"Windows, Linux\"\r\n strings:\r\n $r1 = /\\.connect\\(\\s{0,25}WS_PROXY_URL/\r\n $r2 = /\"data\":\\s{0,1}base64\\.b64encode\\(\\w{1,10}\\)\\.decode\\('ascii'\\)/\r\n $r3 = /\"type\":\\s{0,1}\"socks_data\"/\r\n $r4 = /await\\s{0,1}reader\\.read\\(\\d{2,4}\\)/\r\n $r5 = /\"login\":\\s{0,1}AGENT_LOGIN/\r\n $r6 = /\"password\":\\s{0,1}AGENT_PASSWORD/\r\n $r7 = /\"uuid\":\\s{0,1}AGENT_UUID/\r\n \r\n $s1 = \".socks_tcp_to_ws\"\r\n condition:\r\n 5 of ($r*)\r\n and $s1\r\n}\r\nSNOWBELT\r\nrule G_Backdoor_SNOWBELT_1 {\r\n meta:\r\n author = \"Google Threat Intelligence Group (GTIG)\"\r\n platform = \"Windows\"\r\n \r\nstrings:\r\n$str1 = \".importKey(\\\"raw\\\",keyMaterial,\\\"AES-GCM\\\",!1,[\\\"decrypt\\\"])\"\r\n$str2 = \".importKey(\\\"raw\\\",keyMaterial,\\\"AES-GCM\\\",!1,[\\\"encrypt\\\"])\"\r\n$str3 = \"sendJsonDataToS3\"\r\n$str4 = \"processCommand\"\r\n$str5 = \"\\\"screenshot\\\"===cmdType\"\r\n$str6 = \"\\\"payload\\\"===cmdType\"\r\n$str7 = \"\\\"websocket_control\\\"===cmdType\"\r\n$str8 = \"\\\"open_uri\\\"===cmdType\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 12 of 16\n\n$str9 = \"\\\"delete_cache\\\"===cmdType\"\r\n$str10 = \"\\\"payload_download_complete\\\"\"\r\n$str11 = \".s3.us-east-2.amazonaws.com/\"\r\ncondition:\r\nall of them\r\n \r\n}\r\nSNOWBASIN\r\nrule G_Backdoor_SNOWBASIN_1 {\r\n meta:\r\n author = \"Google Threat Intelligence Group (GTIG)\"\r\n platform = \"Windows\"\r\n strings:\r\n $path1 = \"self.path == '/probe':\"\r\n $path2 = \"self.path == '/stream':\"\r\n $path3 = \"self.path == '/buffer':\"\r\n $path4 = \"self.path == '/flush':\"\r\n $path5 = \"self.path == '/commit':\"\r\n $path6 = \"self.path == '/capture':\"\r\n $path7 = \"self.path == '/gc':\"\r\n $func1 = \"self.handle_stream(\"\r\n $func2 = \"self.handle_buffer(\"\r\n $func3 = \"self.handle_flush(\"\r\n $func4 = \"self.handle_commit(\"\r\n $s1 = \"self.wfile.write(info_msg\"\r\n $s2 = \"selected_port), WebServerHandler) as httpd:\"\r\n $s3 = \"ThreadedTCPServer(socketserver.ThreadingMixIn\"\r\n $s4 = \"httpd.serve_forever()\"\r\n condition:\r\n filesize\u003c1MB and (\r\n (all of ($s*) and 6 of ($path*, $func*)) or\r\n (8 of ($path*, $func*)) or\r\n 10 of them\r\n )\r\n}\r\nMITRE ATT\u0026CK\r\nTactic Techniques\r\nInitial Access T1566.002: Spearphishing Link\r\nExecution T1053: Scheduled Task/Job\r\nT1053.005: Scheduled Task\r\nT1059: Command and Scripting Interpreter\r\nT1059.001: PowerShell\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 13 of 16\n\nTactic Techniques\r\nT1059.003: Windows Command Shell\r\nT1059.006: Python\r\nT1059.007: JavaScript\r\nT1059.010: AutoHotKey \u0026 AutoIT\r\nT1204.001: Malicious Link\r\nT1204.002: Malicious File\r\nT1559: Inter-Process Communication\r\nT1569.002: Service Execution\r\nPersistence\r\nT1176.001: Browser Extensions\r\nT1543: Create or Modify System Process\r\nT1543.003: Windows Service\r\nT1547.001: Registry Run Keys / Startup Folder\r\nT1547.009: Shortcut Modification\r\nPrivilege Escalation T1068: Exploitation for Privilege Escalation\r\nDefense Evasion\r\nT1027: Obfuscated Files or Information\r\nT1027.010: Command Obfuscation\r\nT1027.015: Compression\r\nT1036.005: Match Legitimate Resource Name or Location\r\nT1055: Process Injection\r\nT1070.004: File Deletion\r\nT1112: Modify Registry\r\nT1134: Access Token Manipulation\r\nT1134.001: Token Impersonation/Theft\r\nT1140: Deobfuscate/Decode Files or Information\r\nT1202: Indirect Command Execution\r\nT1562.001: Disable or Modify Tools\r\nT1564.001: Hidden Files and Directories\r\nT1622: Debugger Evasion\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 14 of 16\n\nTactic Techniques\r\nCredential Access\r\nT1003.001: LSASS Memory\r\nT1003.002: Security Account Manager\r\nT1003.003: NTDS\r\nT1110.001: Password Guessing\r\nT1110.003: Password Spraying\r\nT1552.001: Credentials In Files\r\nDiscovery\r\nT1007: System Service Discovery\r\nT1012: Query Registry\r\nT1016: System Network Configuration Discovery\r\nT1018: Remote System Discovery\r\nT1033: System Owner/User Discovery\r\nT1046: Network Service Discovery\r\nT1057: Process Discovery\r\nT1082: System Information Discovery\r\nT1083: File and Directory Discovery\r\nT1087.001: Local Account\r\nT1518: Software Discovery\r\nLateral Movement\r\nT1021.001: Remote Desktop Protocol\r\nT1021.002: SMB/Windows Admin Shares\r\nCollection\r\nT1005: Data from Local System\r\nT1074: Data Staged\r\nT1113: Screen Capture\r\nT1560: Archive Collected Data\r\nT1560.001: Archive via Utility\r\nExfiltration\r\nT1020: Automated Exfiltration\r\nT1567: Exfiltration Over Web Service\r\nT1567.002: Exfiltration to Cloud Storage\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 15 of 16\n\nTactic Techniques\r\nCommand and Control\r\nT1071.001: Web Protocols\r\nT1090: Proxy\r\nT1105: Ingress Tool Transfer\r\nT1572: Protocol Tunneling\r\nImpact T1489: Service Stop\r\nResource Development\r\nT1608.002: Upload Tool\r\nT1608.005: Link Target\r\nAcknowledgements\r\nThis analysis would not have been possible without the assistance from several individuals within Mandiant Consulting,\r\nGoogle Threat Intelligence Group and FLARE who helped with analysis and reviewing this blog post. We also appreciate\r\nAmazon for their collaboration against this threat.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/"
	],
	"report_names": [
		"unc6692-social-engineering-custom-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1777605040,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2aa556c2d121882837f2c0e1285fd78d8ee171a0.pdf",
		"text": "https://archive.orkl.eu/2aa556c2d121882837f2c0e1285fd78d8ee171a0.txt",
		"img": "https://archive.orkl.eu/2aa556c2d121882837f2c0e1285fd78d8ee171a0.jpg"
	}
}