
SNOW
UNC6692's modular malware ecosystem; SNOWBELT browser backdoor, SNOWGLAZE tunneller, SNOWBASIN RCE server.
Last refreshed: 30 April 2026 · Appears in 1 active topic
How do you detect SNOW when its browser-extension component hides inside normal Chrome extension processes?
Timeline for SNOW
Enabled lateral movement, credential harvesting and exfiltration via browser extension and Python tunneler
Cybersecurity: Threats and Defences: UNC6692 runs SNOW through Microsoft TeamsWhat is the SNOW malware and how does it work?
How is SNOW malware different from traditional endpoint malware?
What should I look for to detect SNOW on a compromised system?
Background
SNOW is the modular malware ecosystem deployed by China-nexus threat cluster UNC6692, disclosed by Google's Threat Intelligence Group on 23 April 2026. It comprises three components working in sequence: SNOWBELT is a malicious Chromium browser extension and JavaScript backdoor installed after the victim downloads an AutoHotkey script via a Microsoft Teams IT-support impersonation; SNOWGLAZE is a Python-based tunneller that creates WebSocket connections providing SOCKS proxy capability and data-exfiltration paths; and SNOWBASIN is a Python local HTTP server that enables Remote Code Execution, file operations, and screenshot capture on the compromised host.
SNOW's architecture is specifically designed to evade traditional endpoint detection. SNOWBELT runs inside the browser process, where most endpoint detection and response (EDR) tools have limited visibility into JavaScript execution within browser extensions. SNOWGLAZE routes its traffic through AWS S3 and Heroku endpoints — legitimate cloud services that appear on most corporate allow-lists — replicating the C2-masking technique used by BRICKSTORM, the Go-language hypervisor implant from UNC5221 that achieved 393 days average dwell. After SNOW achieves persistence, lateral movement runs through standard Windows credential-harvesting from LSASS and pass-the-hash to domain controllers.
SNOW targets the same UK law firm and business process outsourcer (BPO) profile that BRICKSTORM sat inside for over a year. The two malware families represent different layers of the same adversary ecosystem: BRICKSTORM sits below the operating system in the hypervisor, invisible to EDR; SNOW operates inside the browser and developer toolchain, visible to EDR but designed to look like legitimate extension and cloud-service traffic. Together they illustrate a multi-vector approach where China-nexus actors maintain persistent access across both the hardware-virtualisation layer and the application layer simultaneously.