Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

A threat group, UNC6692, used social engineering to deploy a custom malware suite, leveraging a Microsoft Teams chat invitation to install a malicious browser extension, SNOWBELT, which persisted through a shortcut in the Windows Startup folder and a Scheduled Task. This campaign demonstrates an evolution in tactics, combining social engineering, custom malware, and a malicious browser extension. The attack relied on impersonating IT helpdesk employees to gain trust and overwhelm the target with messages, creating a sense of urgency and distraction. Engineers should be cautious of phishing messages and verify the authenticity of IT helpdesk communications. The campaign highlights the importance of robust security measures, including employee education and awareness.