🎯Basically, a new hacker group pretends to be IT helpdesk staff to trick people into installing malware.
What Happened
A previously undocumented threat activity cluster known as UNC6692 has emerged, utilizing social engineering tactics via Microsoft Teams to deploy a custom malware suite on compromised hosts. This group has been observed impersonating IT helpdesk employees to convince victims to accept chat invitations from external accounts.
How It Works
The attack begins with a large email campaign designed to overwhelm targets' inboxes with spam, creating a sense of urgency. Following this, UNC6692 contacts victims through Microsoft Teams, posing as IT support to assist with the email issue. This tactic mirrors strategies used by former affiliates of the Black Basta group, which has since ceased its ransomware operations.
The attackers instruct victims to click on a phishing link in the Teams chat, leading to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket. This script performs reconnaissance and installs SNOWBELT, a malicious Chromium-based browser extension on the victim's Edge browser.
Who's Being Targeted
From March 1 to April 1, 2026, 77% of observed incidents targeted senior-level employees, an increase from 59% in the previous months. This highlights the group's focus on high-value targets within organizations, aiming for data theft, lateral movement, and potential ransomware deployment.
Signs of Infection
Victims may notice unusual Teams messages from supposed IT personnel, requests to install software for email issues, or unexpected browser behavior after clicking links. The malicious browser extension can facilitate further exploitation and data exfiltration.
How to Protect Yourself
Organizations should implement strict verification processes for helpdesk interactions, especially through collaboration tools like Microsoft Teams. Additionally, they should:
Detection
- 1.Enforce help desk verification workflows to confirm identities.
- 2.Tighten external Teams controls to limit interactions with unknown accounts.
Removal
Conclusion
The UNC6692 campaign demonstrates an evolution in tactics, emphasizing social engineering and custom malware. By exploiting trust in enterprise software and utilizing legitimate cloud services for payload delivery, attackers can bypass traditional security measures. Organizations must remain vigilant and adapt their defenses to counter these sophisticated threats.
🔒 Pro insight: The UNC6692 campaign illustrates a sophisticated blend of social engineering and malware deployment, necessitating enhanced defenses against such tactics.
