UNC6692
China-nexus cluster deploying SNOW malware via Teams IT-support impersonation against law firms.
Last refreshed: 30 April 2026 · Appears in 1 active topic
Is your Microsoft Teams external-contact policy hardened against IT helpdesk impersonation by UNC6692?
Timeline for UNC6692
Provided the operational backdrop for CSIS paper published six days after the Axios compromise
Cybersecurity: Threats and Defences: CSIS calls for operational US-ROK cyber alliancePhished an Axios npm maintainer and planted WAVESHAPER.V2 in versions v1.14.1 and v0.30.4
Cybersecurity: Threats and Defences: UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishingMentioned in: Three supply-chain hits in thirteen days
Cybersecurity: Threats and DefencesDeployed SNOW malware via Microsoft Teams IT-support impersonation against law firms and BPOs
Cybersecurity: Threats and Defences: UNC6692 runs SNOW through Microsoft Teams- How does UNC6692 use Microsoft Teams to compromise organisations?
- UNC6692 first floods a target's email inbox to overwhelm them, then contacts the same person via Microsoft Teams posing as internal IT support. The target is persuaded to download an AutoHotkey script that installs the SNOW malware ecosystem, which includes a browser extension backdoor, a Python tunneller for data exfiltration, and a Remote Code Execution server.Source: Google Threat Intelligence Group / Mandiant
- What is the difference between UNC6692 and the BRICKSTORM cluster?
- BRICKSTORM (attributed to UNC5221) deploys a Go-language backdoor on VMware vCenter and ESXi hypervisors with an average 393-day dwell. UNC6692 operates at a different layer: it uses Teams social engineering and browser-extension malware to harvest credentials from the application and endpoint layer. Both target UK law firms and BPOs and both mask C2 through AWS and Heroku.Source: Mandiant M-Trends 2026
- How can law firms defend against UNC6692 Teams impersonation attacks?
- Restrict Microsoft Teams external-contact permissions so that only verified partner organisations can initiate chats. Configure Teams to flag or block message requests from accounts outside your tenant. Train staff to verify IT support requests through a separate authentication channel before downloading any scripts or tools sent via Teams.
- Why does UNC6692 use AWS and Heroku for command and control?
- Routing C2 traffic through AWS S3 and Heroku means network security tools see outbound traffic to well-known cloud services that appear on most allow-lists by default. BRICKSTORM used the same technique to achieve 393-day average dwell in corporate networks; UNC6692 applying the same method confirms it is a deliberate and effective tradecraft choice.Source: Google Threat Intelligence Group
Background
UNC6692 is a China-nexus threat cluster disclosed by Google's Threat Intelligence Group (Mandiant) on 23 April 2026. The cluster runs a sophisticated social-engineering campaign deploying the modular SNOW malware ecosystem through Microsoft Teams IT-support impersonation, targeting law firms, business process outsourcers (BPOs), and software-as-a-service providers — the same sector profile that BRICKSTORM/UNC5221 was sitting inside for 393 days undetected in Mandiant's M-Trends 2026 report.
UNC6692's attack flow begins with a large email campaign designed to overwhelm the target's inbox, then shifts to Teams, where attackers impersonate the target organisation's IT helpdesk. Targets are persuaded to download an AutoHotkey script that installs the three SNOW components: SNOWBELT (a malicious Chromium browser extension and JavaScript backdoor), SNOWGLAZE (a Python tunneller that creates WebSocket connections for SOCKS proxy and data exfiltration), and SNOWBASIN (a Python local HTTP server providing Remote Code Execution, file operations, and screenshots). Command-and-control uses AWS S3 and Heroku — the same cloud-service masking technique employed by BRICKSTORM, where legitimate cloud traffic makes malicious C2 indistinguishable from normal enterprise SaaS usage.
UNC6692 represents the evolution of social-engineering TTPs from email phishing to chat-based helpdesk impersonation, exploiting the trust employees extend to internal IT support channels. The Teams vector is specifically effective because most organisations have not applied the same scrutiny to Teams external-contact policies that they have to email. Lateral movement after initial access uses standard Windows credentials harvesting from LSASS and pass-the-hash to domain controllers. For UK law firms and BPOs already named as BRICKSTORM targets, UNC6692 extends the adversary surface to include credential theft via browser extension alongside the hypervisor-layer persistence Mandiant previously disclosed.
