Snow

Snow is a custom malware suite associated with threat actor UNC6692. It is deployed through a social-engineering intrusion chain that uses email bombing and Microsoft Teams helpdesk impersonation to pressure victims into opening a phishing link presented as a spam-fix or security patch. The delivered toolset includes SnowBelt, a malicious browser extension used for persistence and command relay; SnowGlaze, a tunneler that establishes WebSocket communications and supports SOCKS proxying; and SnowBasin, a Python-based backdoor that runs a local HTTP server and supports remote shell access, execution of CMD and PowerShell commands, file download and management, screenshot capture, data exfiltration, and self-termination. Reported persistence mechanisms include scheduled tasks and a startup-folder shortcut, and SnowBelt was observed executing in a headless Microsoft Edge instance to reduce user visibility. After initial compromise, UNC6692 was observed conducting internal reconnaissance, scanning for SMB and RDP services, dumping LSASS for credential theft, using pass-the-hash for lateral movement, and ultimately reaching domain controllers. In the final stage of observed intrusions, the actor used FTK Imager to collect the Active Directory database along with the SYSTEM, SAM, and SECURITY registry hives, then exfiltrated the stolen data using LimeWire. The objective described in the reporting is theft of sensitive data following deep network compromise and domain takeover. The content also separately mentions "Snow" as the name of an ITG23-related crypter referenced by IBM X-Force in campaigns involving Hive0118/TA577, but no further technical detail is provided there.