UNC6692 Uses Microsoft Teams to Impersonate Help Desk and Deploy SNOW Malware
Malware coverage focused on infection paths, containment steps and indicators defenders should watch.

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.
The published article is checked against public sources before publication, and material corrections are reflected in the article update date.
Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for server impact, affected-version evidence, privilege or code-execution claims and realistic patch priority. His remediation note follows the same discipline he would use around Juniper routers and production servers: verify scope, preserve useful logs, reduce exposed management access and only then apply the fix or compensating control supported by the 3 corroborating sources.
Review our editorial policy or send corrections to [email protected].
Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.
A sophisticated cybercrime group, UNC6692, has been observed impersonating help desk employees via Microsoft Teams to distribute SNOW malware. This attack leverages social engineering and phishing tactics within corporate collaboration platforms, posing a high risk of credential theft, data breaches, and system compromise. This HackWatch alert reviews documented reporting, actionable guidance, and updated guidance on evolving threats and defenses.
What happened
Cybersecurity researchers have identified a targeted campaign by the threat actor UNC6692 that abuses Microsoft Teams to impersonate help desk employees. The attackers initiate phishing conversations within Teams chats, convincing users to download and execute SNOW malware — a sophisticated backdoor trojan designed for credential theft and network persistence.
This attack vector is notable for exploiting trusted internal communication channels rather than traditional email phishing. By masquerading as IT support personnel, UNC6692 lowers victims’ guard, increasing the likelihood of successful malware deployment.
Confirmed facts
- UNC6692 is a known cybercrime group with a history of credential theft and espionage activities.
- The group initiates contact via Microsoft Teams chat, impersonating help desk or IT support staff.
- Victims receive messages requesting assistance or directing them to download a file or click a link purportedly to resolve an IT issue.
- The downloaded payload is SNOW malware, which enables attackers to steal credentials, maintain persistence, and move laterally within networks.
- This campaign leverages the trusted environment of Teams, bypassing many traditional email security filters.
- Organizations with lax internal verification processes and insufficient endpoint protection are particularly vulnerable.
Who is affected
- Enterprises and organizations using Microsoft Teams as their primary collaboration tool.
- Employees who have access to internal IT support channels or who are accustomed to receiving help desk communications via chat.
- Companies without robust multi-factor authentication (MFA) or endpoint detection and response (EDR) solutions.
- Sectors with high reliance on remote work and digital collaboration, such as finance, healthcare, and technology.
What to do now
- Immediately alert IT and security teams if you receive unsolicited help desk requests via Teams, especially those asking to download files or provide credentials.
- Verify help desk communications through secondary channels, such as a phone call or official ticketing system.
- Conduct an organization-wide scan for SNOW malware indicators and review Teams logs for suspicious chats.
- Enforce strict policies that prohibit downloading or executing files from unverified sources within collaboration platforms.
- Update endpoint security solutions to detect and block SNOW malware and similar threats.
How to secure yourself
- Enable multi-factor authentication (MFA) on all corporate accounts, especially for collaboration tools like Microsoft Teams.
- Train employees to recognize social engineering tactics, emphasizing that IT support will never request passwords or direct downloads via chat.
- Implement application whitelisting and restrict execution of unauthorized software.
- Regularly update and patch collaboration platforms and endpoint devices.
- Use advanced threat protection tools capable of monitoring internal communications for anomalous behavior.
FAQ
How does UNC6692 use Microsoft Teams to deliver malware?
UNC6692 impersonates help desk employees in Teams chats, sending malicious links or files that, when executed, install SNOW malware on victims’ devices.
What is SNOW malware?
SNOW is a backdoor trojan used for credential theft, persistence, and lateral movement within compromised networks.
Am I at risk if my company uses Microsoft Teams?
Yes, especially if your organization lacks strict verification processes, endpoint protections, or MFA.
How can I verify if a help desk request is legitimate?
Always confirm via official channels such as phone calls, email ticketing systems, or in-person communication before taking any action.
What immediate steps should I take if I suspect compromise?
Notify your IT/security team, avoid interacting with suspicious messages, and disconnect affected devices from the network.
Has Microsoft improved Teams security against such attacks?
Yes, Microsoft has enhanced security features including anomaly detection, phishing protection, and integration with identity and access management solutions.
What role does MFA play in preventing these attacks?
MFA adds an additional authentication layer, making it harder for attackers to use stolen credentials to access systems.
How can organizations detect SNOW malware?
Through endpoint detection and response tools, network traffic analysis, and monitoring for unusual authentication or lateral movement patterns.
What are common signs of a SNOW malware infection?
Unexpected credential prompts, unusual network connections, degraded system performance, and unauthorized access attempts.
Why this matters
This campaign highlights a dangerous evolution in cyberattack strategies—leveraging trusted internal communication tools to bypass traditional defenses. As remote work and digital collaboration become ubiquitous, attackers exploit human trust and platform familiarity to gain initial access. The high risk of credential theft and network compromise from such attacks can lead to severe financial losses, data breaches, and reputational damage.
Organizations must adapt their security postures to include internal communication monitoring, employee training, and zero-trust principles to mitigate these emerging threats.
Sources and corroboration
This article synthesizes information from multiple cybersecurity reports and investigations, including detailed analysis from SC Magazine and threat intelligence shared by Microsoft security teams. The convergence of these sources confirms the tactics, techniques, and procedures (TTPs) of UNC6692 and the deployment of SNOW malware via Microsoft Teams.
- https://www.scworld.com/news/unc6692-impersonates-help-desk-employees-to-drop-snow-malware-via-teams
---
Tags: ["UNC6692", "SNOW malware", "Microsoft Teams phishing", "help desk impersonation", "credential theft", "malware delivery", "cybersecurity 2026", "endpoint security", "phishing scams"]
Source URLs: ["https://www.scworld.com/news/unc6692-impersonates-help-desk-employees-to-drop-snow-malware-via-teams"]
Sources used for this article
The Hacker News, secnews.gr, scmagazine.com
