TechnologyCN

SNOW

UNC6692's modular malware ecosystem; SNOWBELT browser backdoor, SNOWGLAZE tunneller, SNOWBASIN RCE server.

Last refreshed: 30 April 2026 · Appears in 1 active topic

Key Question

How do you detect SNOW when its browser-extension component hides inside normal Chrome extension processes?

Timeline for SNOW

#223 Apr

Enabled lateral movement, credential harvesting and exfiltration via browser extension and Python tunneler

Cybersecurity: Threats and Defences: UNC6692 runs SNOW through Microsoft Teams

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is the SNOW malware and how does it work?: SNOW is a three-component malware ecosystem used by China-nexus group UNC6692. SNOWBELT is a malicious Chrome browser extension installed via a Teams social engineering lure; SNOWGLAZE is a Python tunneller routing data through AWS and Heroku; SNOWBASIN is a Python server providing Remote Code Execution on the victim host.Source: Google Threat Intelligence Group
How is SNOW malware different from traditional endpoint malware?: SNOW's browser-extension component (SNOWBELT) runs inside the browser process where EDR tools have limited JavaScript-level visibility. Its C2 traffic is routed through AWS and Heroku, making it indistinguishable from normal SaaS usage. These design choices make SNOW harder to detect with standard endpoint and network controls than executable-based malware.Source: Mandiant
What should I look for to detect SNOW on a compromised system?: Look for unexpected Chromium browser extensions that appeared around or after suspicious Teams communications. Monitor for Python processes making WebSocket connections to AWS S3 or Heroku that are not associated with known applications. Check for AutoHotkey script execution events that preceded browser extension installation.Source: Google Threat Intelligence Group
What sectors does UNC6692's SNOW malware target?: SNOW has been deployed by UNC6692 against law firms, business process outsourcers (BPOs), and SaaS providers, according to Mandiant's disclosure. This matches the same sector profile targeted by BRICKSTORM from the China-nexus UNC5221 cluster, suggesting deliberate sector overlap in China-linked targeting of professional services firms.Source: Mandiant

Background

SNOW is the modular malware ecosystem deployed by China-nexus threat cluster UNC6692, disclosed by Google's Threat Intelligence Group on 23 April 2026. It comprises three components working in sequence: SNOWBELT is a malicious Chromium browser extension and JavaScript backdoor installed after the victim downloads an AutoHotkey script via a Microsoft Teams IT-support impersonation; SNOWGLAZE is a Python-based tunneller that creates WebSocket connections providing SOCKS proxy capability and data-exfiltration paths; and SNOWBASIN is a Python local HTTP server that enables Remote Code Execution, file operations, and screenshot capture on the compromised host.

SNOW's architecture is specifically designed to evade traditional endpoint detection. SNOWBELT runs inside the browser process, where most endpoint detection and response (EDR) tools have limited visibility into JavaScript execution within browser extensions. SNOWGLAZE routes its traffic through AWS S3 and Heroku endpoints — legitimate cloud services that appear on most corporate allow-lists — replicating the C2-masking technique used by BRICKSTORM, the Go-language hypervisor implant from UNC5221 that achieved 393 days average dwell. After SNOW achieves persistence, lateral movement runs through standard Windows credential-harvesting from LSASS and pass-the-hash to domain controllers.

SNOW targets the same UK law firm and business process outsourcer (BPO) profile that BRICKSTORM sat inside for over a year. The two malware families represent different layers of the same adversary ecosystem: BRICKSTORM sits below the operating system in the hypervisor, invisible to EDR; SNOW operates inside the browser and developer toolchain, visible to EDR but designed to look like legitimate extension and cloud-service traffic. Together they illustrate a multi-vector approach where China-nexus actors maintain persistent access across both the hardware-virtualisation layer and the application layer simultaneously.

Source Material

UNC6692 Uses Social Engineering and Custom Malware to Target Professional Services

How the World Sees Them

China

UNC6692 follows established China-nexus targeting priorities: professional services firms holding sensitive commercial intelligence for Western multinationals. SNOW's modular design suggests continued capability development rather than a one-time campaign.

UK legal sector

UK law firms are a confirmed SNOW target, sharing the same sector profile as BRICKSTORM. The two toolsets attack different layers: BRICKSTORM at the hypervisor, SNOW at the browser, requiring separate detection and response strategies.

Security vendors

SNOW's architecture challenges traditional EDR vendors: SNOWBELT hides inside legitimate browser processes, while SNOWGLAZE's C2 traffic is routed through trusted cloud platforms. Detection requires browser-extension allowlisting and cloud-traffic baselining.