TL;DR
A threat actor tracked as UNC6692 is deploying a new custom malware suite called 'Snow' via social engineering attacks on Microsoft Teams, compromising organizations with a browser extension, tunneler, and backdoor. This matters because it represents a shift toward multi-component malware delivered through trusted collaboration platforms, bypassing traditional email-based security defenses.
What Happened
On April 25, 2026, cybersecurity researchers revealed that a threat group known as UNC6692 has been leveraging Microsoft Teams to socially engineer victims into downloading and executing a new, custom malware suite dubbed 'Snow'. The attack chain begins with a convincing Teams message that tricks the target into installing a malicious payload, which then deploys three distinct components: a browser extension for data theft, a tunneler for persistent network access, and a backdoor for remote control.
Key Facts
- The threat actor is tracked as UNC6692, a group that specifically targets organizations using Microsoft Teams as their primary collaboration tool.
- The 'Snow' malware suite consists of three components: a browser extension, a tunneler, and a backdoor, each with distinct operational capabilities.
- The browser extension is designed to exfiltrate credentials, session cookies, and other sensitive data from compromised browsers.
- The tunneler component establishes a covert network channel to the attacker's command-and-control infrastructure, enabling lateral movement.
- The backdoor provides persistent remote access to the compromised system, allowing attackers to execute commands and deploy additional payloads.
- The initial infection vector relies on social engineering via Microsoft Teams chat messages, often impersonating IT support or trusted colleagues.
- BleepingComputer broke the story on April 25, 2026, citing research from cybersecurity firms tracking UNC6692's activities.
Breaking It Down
The Snow malware suite represents a significant evolution in threat actor tooling, moving beyond single-purpose malware toward a modular, integrated attack platform. By combining a browser extension, tunneler, and backdoor into a single deployment, UNC6692 has created a toolset that can simultaneously steal credentials, maintain persistent access, and enable lateral movement across a compromised network. This modular approach mirrors the tactics of advanced persistent threat (APT) groups but is now being deployed by a group that appears to have more opportunistic targeting.
The browser extension component is particularly concerning because it operates at the user's privilege level, making it difficult for traditional endpoint detection and response (EDR) systems to flag without behavioral analysis.
Unlike traditional malware that drops a single executable, the Snow browser extension lives within the browser's process space, where it can intercept all web traffic, including encrypted HTTPS sessions. This means that even organizations with robust network monitoring may miss the exfiltration of credentials and session tokens because the data appears to be normal browser traffic. The extension can also maintain persistence across browser updates and even survive a full system reboot if the browser is configured to restore sessions.
The use of Microsoft Teams as the delivery mechanism is a calculated move by UNC6692. Teams has become the central hub for internal communications in thousands of organizations, and employees are conditioned to trust messages from colleagues and IT support. By crafting convincing social engineering lures—often claiming a "security update" or "system maintenance" is required—the attackers bypass the skepticism that might greet an email from an unknown sender. This trust-by-default dynamic is a vulnerability that UNC6692 exploits with precision.
What Comes Next
The disclosure of the Snow malware suite will likely trigger a wave of defensive responses from both Microsoft and third-party security vendors. Organizations that rely heavily on Microsoft Teams should expect urgent guidance and potential configuration changes.
- Microsoft is expected to release a security advisory within the next 48–72 hours, likely recommending that organizations restrict Teams external access and implement application control policies to block unauthorized executable downloads.
- Antivirus and EDR vendors will push signature updates for the Snow malware components by April 28–30, 2026, but the custom nature of the malware means polymorphic variants may evade detection.
- CISA (Cybersecurity and Infrastructure Security Agency) may issue an emergency directive for federal agencies to audit Teams usage and review any recent suspicious chat messages involving file transfers or executable downloads.
- Security researchers will likely uncover additional Snow variants or related tools within 2–4 weeks, as UNC6692 may have deployed the malware across multiple sectors before this disclosure.
The Bigger Picture
This attack highlights two converging trends: Collaboration Platform Abuse and Modular Malware Ecosystems. As organizations have shifted to platforms like Microsoft Teams, Slack, and Zoom for daily operations, threat actors have followed. The Snow malware suite is the latest example of attackers weaponizing the very tools that employees rely on for productivity, turning trusted communication channels into infection vectors.
The modular nature of Snow also reflects a broader industry shift toward multi-stage attack chains that separate initial access from payload delivery. By using a browser extension for data theft, a tunneler for network access, and a backdoor for command execution, UNC6692 has created a toolkit that can be customized for different targets. This detachability means that even if one component is detected and removed, the others may remain operational, allowing the attacker to maintain a foothold and redeploy the lost component.
Key Takeaways
- [Snow Malware Suite]: A new, custom malware suite comprising a browser extension, tunneler, and backdoor, deployed by UNC6692 via Microsoft Teams social engineering.
- [Microsoft Teams Vector]: The attack exploits trust in internal collaboration tools, bypassing traditional email security controls through convincing chat messages.
- [Modular Design]: The three-component architecture allows for persistent access and data theft even if one element is detected and removed.
- [Immediate Defensive Actions]: Organizations should restrict Teams external access, block executable downloads, and audit recent suspicious chat messages before signature updates arrive.
