Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

SNOWBASIN

SNOWBASIN is a Python-based remote access backdoor/bindshell in the SNOW malware ecosystem used by threat cluster UNC6692. It operates as a persistent local HTTP server, typically listening on port 8000, with some reporting also noting ports 8001 or 8002. SNOWBASIN provides interactive control of infected systems and supports remote command execution via cmd.exe or powershell.exe, screenshot capture, file upload and download, data staging for exfiltration, and self-termination. In the observed intrusion chain, UNC6692 used Microsoft Teams helpdesk impersonation and email bombing to socially engineer victims into installing a fake mailbox repair utility, which deployed SNOWBELT, a malicious Chromium extension, along with AutoHotkey scripts and a portable Python environment. SNOWBELT relayed operator commands to SNOWBASIN, while SNOWGLAZE, a Python-based tunneler, created authenticated WebSocket tunnels between victim networks and attacker infrastructure. Reported command flow included commands sent through the SNOWGLAZE tunnel, intercepted by SNOWBELT, proxied to SNOWBASIN over HTTP POST, executed locally, and returned through the same chain. SNOWBASIN was used to enable deeper network access, reconnaissance, and post-compromise operations in enterprise environments.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC6692

Finally, SnowBasin is a Python bindshell providing interactive control over the infected system. It serves as a persistent backdoor, operating as a local HTTP server and typically listening on port 8000, allowing remote command execution, screenshot capture, and data staging for exfiltration.

via register securitytheregister.com
MITRE ATT&CK

Techniques & procedures

22 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583.006Web ServicesEvidence1

its systematic abuse of legitimate cloud services for every stage of the attack payload delivery, credential exfiltration, C2 infrastructure, and data staging, all of which relied on trusted platforms like AWS S3 and Heroku.

Initial Access

5 techniques
T1133External Remote ServicesEvidence1

The hacker sends a link to a fake “Mailbox Repair” utility or asks the victim to open remote access tools like Quick Assist. Either way, they install the SNOW malware suite.

T1189Drive-by CompromiseEvidence1

Once it's clicked, it leads to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket.

T1566PhishingEvidence5

Step 2 — The helper arrives on Teams Right away, an external Microsoft Teams account named “IT Helpdesk” messages the victim. The hacker offers to fix the email issue immediately.

T1566.002Spearphishing LinkEvidence1

The fake helpdesk worker prompts the user to click a link that supposedly installs a local patch that prevents email spamming. This directs victims to a landing page masquerading as a 'Mailbox Repair Utility'...

T1566.003Spearphishing via ServiceEvidence2

Step 2 — The helper arrives on Teams Right away, an external Microsoft Teams account named “IT Helpdesk” messages the victim. The hacker offers to fix the email issue immediately.

Execution

6 techniques
T1059Command and Scripting InterpreterEvidence3

The first stage downloads an AutoHotKey binary and an AutoHotkey script, which immediately starts performing reconnaissance... SnowGlaze is a Python-based tunneler... Finally, SnowBasin is a Python bindshell...

T1059.001PowerShellEvidence2

SNOWBASIN... enable[s] remote command execution via "cmd.exe" or "powershell.exe"

T1059.003Windows Command ShellEvidence2

SNOWBASIN... enable[s] remote command execution via "cmd.exe" or "powershell.exe"

T1059.006PythonEvidence1

...a ZIP archive containing a portable Python executable and required libraries. SnowGlaze is a Python-based tunneler... Finally, SnowBasin is a Python bindshell...

T1204User ExecutionEvidence1

...to trick victims into installing a fake fix for email issues. The attack delivered AutoHotKey-based loaders...

T1204.002Malicious FileEvidence1

Once it's clicked, it leads to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket.

Persistence

1 technique
T1133External Remote ServicesEvidence1

The hacker sends a link to a fake “Mailbox Repair” utility or asks the victim to open remote access tools like Quick Assist. Either way, they install the SNOW malware suite.

Credential Access

1 technique
T1555Credentials from Password StoresEvidence1

SNOWBELT is a malicious Chromium browser extension that acts as a backdoor, harvesting saved credentials and session cookies.

Discovery

2 techniques
T1033System Owner/User DiscoveryEvidence1

Attacker commands (such as whoami or net user) are sent through the SnowGlaze tunnel...

T1046Network Service DiscoveryEvidence2

...allowing deeper network access and reconnaissance.

Lateral Movement

1 technique
T1021Remote ServicesEvidence1

It serves as a persistent backdoor, operating as a local HTTP server and typically listening on port 8000, allowing remote command execution, screenshot capture, and data staging for exfiltration.

Collection

2 techniques
T1074Data StagedEvidence1

...allowing remote command execution, screenshot capture, and data staging for exfiltration.

T1113Screen CaptureEvidence4

It serves as a persistent backdoor... allowing remote command execution, screenshot capture, and data staging for exfiltration.

Command and Control

3 techniques
T1095Non-Application Layer ProtocolEvidence1

Finally, SnowBasin is a Python bindshell providing interactive control over the infected system.

T1105Ingress Tool TransferEvidence3

Once installed, the extension can download additional components, including malware tools dubbed SnowGlaze and SnowBasin, along with AutoHotkey scripts and a portable Python environment used to run further malicious code.

T1219Remote Access ToolsEvidence2

SNOWBASIN is a remote access backdoor.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

...credentials and metadata are sent to an attacker-controlled Amazon S3 bucket... SnowBasin is a Python bindshell... allowing... data staging for exfiltration.

INDICATORS OF COMPROMISE

IOCs tracked for this family

6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
6 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app2 months ago
ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
malware newsNews
May 26, 2026
Hunt Before They Hide -From Device Codes to Fake IT Support Detecting Active Microsoft 365 Identity… - Malware News - Malware Analysis, News and Indicators

A remote access backdoor in the SNOW malware suite used to maintain persistent access to compromised endpoints.

Read more
detectNews
May 26, 2026
Hunt Before They Hide -From Device Codes to Fake IT Support Detecting Active Microsoft 365 Identity Attacks in Sentinel | by Rohitashokgowd | May, 2026 | Detect FYI

A remote access backdoor used to provide persistent access to compromised endpoints.

Read more
the record mediaNews
Apr 27, 2026
Hackers impersonate Microsoft Teams help desk to breach corporate networks | The Record from Recorded Future News

An additional malware tool downloaded by SnowBelt as part of the intrusion chain.

Read more
register securityNews
Apr 25, 2026
Crime crew impersonates help desk, abuses Teams chats • The Register

A Python bindshell and persistent backdoor that runs as a local HTTP server, typically on port 8000, enabling remote command execution, screenshot capture, and staging of data for exfiltration.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching6

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping22

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.