A previously undocumented threat activity cluster known as UNC6692 has been observed leveraging social engineering tactics via Microsoft Teams to deploy a custom malware suite on compromised hosts.
“As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization,” Google-owned Mandiant said in a report published today.
UNC6692 has been attributed to a large email campaign that’s designed to overwhelm a target’s inbox with a flood of spam emails, creating a false sense of urgency. The threat actor then approaches the target over Microsoft Teams by sending a message claiming to be from the IT support team to offer assistance with the email bombing problem.
It’s worth noting that this combination of bombarding a victim’s email inbox followed by Microsoft Teams-based help desk impersonation has been a tactic long embraced by former Black Basta affiliates. Despite the group shutting down its ransomware operations early last year, the playbook has witnessed no signs of slowing down.
In a report published last week, ReliaQuest revealed that the approach is being used to target executives and senior-level employees for initial access into corporate networks for potential data theft, lateral movement, ransomware deployment, and extortion. In some cases, chats were initiated just 29 seconds apart.
The goal of the conversation is to trick victims into installing legitimate remote monitoring and management (RMM) tools like Quick Assist or Supremo Remote Desktop to enable hands-on access, and then weaponize it to drop additional payloads.
“From March 1 to April 1, 2026, 77% of observed incidents targeted senior-level employees, up from 59% in the first two months of 2026,” ReliaQuest researchers John Dilgen and Alexa Feminella said. “This activity demonstrates that a threat group’s most effective tactics can long outlive the group itself.”
The attack chain detailed by Mandiant, on the other hand, deviates from this approach as the victim is instructed to click on a phishing link shared via Teams chat to install a local patch to remediate the spam issue. Once it’s clicked, it leads to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket. The phishing page is named “Mailbox Repair and Sync Utility v2.1.5.”
The script is designed to perform initial reconnaissance, and then install SNOWBELT, a malicious Chromium-based browser extension, on the Edge browser by launching it in headless mode along with the “–load-extension” command line switch.
“The attacker used a gatekeeper script designed to ensure the payload is delivered only to intended targets while evading automated security sandboxes,” Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelley, and Muhammad Umair said.
“The script also checks the victim’s browser. If the user is not using Microsoft Edge, the page…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
