SNOWBELT

its systematic abuse of legitimate cloud services for every stage of the attack payload delivery, credential exfiltration, C2 infrastructure, and data staging, all of which relied on trusted platforms like AWS S3 and Heroku.

SnowBelt functions as a backdoor that allows attackers to maintain access to corporate accounts and move through internal systems without repeated authentication.

The hacker sends a link to a fake “Mailbox Repair” utility or asks the victim to open remote access tools like Quick Assist. Either way, they install the SNOW malware suite.

Once it's clicked, it leads to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket.

Step 2 — The helper arrives on Teams Right away, an external Microsoft Teams account named “IT Helpdesk” messages the victim. The hacker offers to fix the email issue immediately.

The fake helpdesk worker prompts the user to click a link that supposedly installs a local patch that prevents email spamming. This directs victims to a landing page masquerading as a 'Mailbox Repair Utility'...

Step 2 — The helper arrives on Teams Right away, an external Microsoft Teams account named “IT Helpdesk” messages the victim. The hacker offers to fix the email issue immediately.

SNOWBELT maintained persistence through a Windows Startup folder shortcut, two scheduled tasks, and a headless Microsoft Edge process silently loading the extension.

The extension executes on a headless Microsoft Edge instance, so the victim doesn’t notice anything, while scheduled tasks and a startup folder shortcut are also created for persistence.

The first stage downloads an AutoHotKey binary and an AutoHotkey script, which immediately starts performing reconnaissance... SnowGlaze is a Python-based tunneler... Finally, SnowBasin is a Python bindshell...

...to trick victims into installing a fake fix for email issues. The attack delivered AutoHotKey-based loaders...

Once it's clicked, it leads to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket.

SNOWBELT maintained persistence through a Windows Startup folder shortcut, two scheduled tasks, and a headless Microsoft Edge process silently loading the extension.

The extension executes on a headless Microsoft Edge instance, so the victim doesn’t notice anything, while scheduled tasks and a startup folder shortcut are also created for persistence.

SnowBelt functions as a backdoor that allows attackers to maintain access to corporate accounts and move through internal systems without repeated authentication.

The hacker sends a link to a fake “Mailbox Repair” utility or asks the victim to open remote access tools like Quick Assist. Either way, they install the SNOW malware suite.

The first stage downloads an AutoHotKey binary and an AutoHotkey script, which immediately starts performing reconnaissance and installs a malicious Chromium browser extension called SnowBelt. | SnowBelt, a JavaScript-based backdoor delivered as a Chromium browser extension, gives the attacker an initial foothold and maintains persistence via the browser's extension registration system.

SNOWBELT maintained persistence through a Windows Startup folder shortcut

The extension executes on a headless Microsoft Edge instance, so the victim doesn’t notice anything, while scheduled tasks and a startup folder shortcut are also created for persistence.

SNOWBELT maintained persistence through a Windows Startup folder shortcut, two scheduled tasks, and a headless Microsoft Edge process silently loading the extension.

The extension executes on a headless Microsoft Edge instance, so the victim doesn’t notice anything, while scheduled tasks and a startup folder shortcut are also created for persistence.

SnowBelt functions as a backdoor that allows attackers to maintain access to corporate accounts and move through internal systems without repeated authentication.

SNOWBELT maintained persistence through a Windows Startup folder shortcut

The extension executes on a headless Microsoft Edge instance, so the victim doesn’t notice anything, while scheduled tasks and a startup folder shortcut are also created for persistence.

This directs victims to a landing page masquerading as a 'Mailbox Repair Utility'... SnowBelt... often hides behind names like 'MS Heartbeat' or 'System Heartbeat.'

SnowBelt functions as a backdoor that allows attackers to maintain access to corporate accounts and move through internal systems without repeated authentication.

The attacker used a gatekeeper script designed to ensure the payload is delivered only to intended targets while evading automated security sandboxes... The script also checks the victim's browser.

SNOWBELT is a malicious Chromium browser extension that acts as a backdoor, harvesting saved credentials and session cookies.

SNOWBELT is a malicious Chromium browser extension that acts as a backdoor, harvesting saved credentials and session cookies.

Attacker commands (such as whoami or net user) are sent through the SnowGlaze tunnel...

After gaining initial access, process execution telemetry recorded UNC6692 using a Python script to scan the local network for ports 135, 445, and 3389.

The first stage downloads an AutoHotKey binary and an AutoHotkey script, which immediately starts performing reconnaissance...

The attacker used a gatekeeper script designed to ensure the payload is delivered only to intended targets while evading automated security sandboxes... The script also checks the victim's browser.

SNOWBELT is a malicious Chromium browser extension that acts as a backdoor, harvesting saved credentials and session cookies.

SNOWGLAZE masked malicious traffic by wrapping data in Base64-encoded JSON objects over WebSockets, making it appear as standard encrypted web traffic.

Once installed, the extension can download additional components, including malware tools dubbed SnowGlaze and SnowBasin, along with AutoHotkey scripts and a portable Python environment used to run further malicious code.