TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Сloud Security UNC6692 Combines Social Engineering, Malware, Cloud Abuse UNC6692 Combines Social Engineering, Malware, Cloud Abuse by Alexander Culafi Apr 27, 2026 3 Min Read Vulnerabilities & Threats Unpatched 'PhantomRPC' Flaw in Windows Enables Privilege Escalation Unpatched 'PhantomRPC' Flaw in Windows Enables Privilege Escalation by Elizabeth Montalbano Apr 27, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Сloud Security Threat Intelligence Application Security Cyberattacks & Data Breaches News UNC6692 Combines Social Engineering, Malware, Cloud Abuse A newly discovered threat actor is using Microsoft Teams, AWS S3 buckets, and custom "Snow" malware in a multipronged campaign. Alexander Culafi , Senior News Writer , Dark Reading April 27, 2026 3 Min Read Source: Marc Muench via Alamy Stock Photo A new threat actor is combining social engineering techniques, abuse of legitimate cloud infrastructure, and custom malware together to create what appears to be novel attack chain. Google Threat Intelligence Group (GTIG) and Mandiant on April 23 published a blog post detailing the activities of a threat actor tracked as UNC6692. While the researchers did not attribute the threat actor to any previously established identity or location ( calling it only a "newly tracked threat group"), they described a multistage intrusion campaign leveraging both persistent social engineering and custom modular malware. The attack also involves the abuse of legitimate cloud infrastructure in the form of an AWS S3 bucket. A Google spokesperson tells Dark Reading that based on observed attacker tactics, techniques, and procedures (TTPs), the researchers suspect the UNC6692 is financially motivated. "Their operations appear focused on gaining access and stealing credentials for further actions," the blog post authors added. Related: Navigating the Unique Security Risks of Asia's Digital Supply Chain Dark Reading asked about the attacker's point of origin, but because it utilized AWS infrastructure, Google was unable to obtain evidence pointing to a possible attribution. Dark Reading has contacted Amazon for additional information. The UNC6692 Attack Chain In late December, UNC6692 conducted a campaign where it flooded a target's inbox with email messages before contacting them through Microsoft Teams, posing as help desk personnel assigned to fix the problem. The attacker provided a phishing link through the Teams message , prompting the target to click a link that installs a local patch to fix and prevent email spamming. The target clicked the link and opened an HTML page which "ultimately downloaded a renamed AutoHotKey binary and an AutoHotkey script, sharing the same name, from a threat actor-controlled AWS S3 bucket." "If the AutoHotkey binary is named the same as a script file in its current directory, AutoHotkey will automatically run the script with no additional command line arguments," the blog post read. "Evidence of AutoHotKey execution was recorded immediately following the downloads resulting in initial reconnaissance commands and the installation of SNOWBELT, a malicious Chromium browser extension (not distributed through the Chrome Web Store)." Through the Snowbelt extension now installed on the user's computer, UNC6692 downloaded the Python tunneler Snowglaze, the Python bindshell Snowbasin (a persistent backdoor for remote code execution), AutoHotkey scripts, and "a ZIP archive containing a portable Python executable and required libraries." Related: Microsoft, Salesforce Patch AI Agent Data Leak Flaws Once they gained initial access, the attacker used a Python script to scan the local network for ports 135, 445, and 3389 and enumerate local administrator accounts. They then used a local administrator account to initiate a remote desktop protocol (RDP) session through Snowglaze from the victim system to a backup server. Now with access to the backup server, the threat actor further uses the local admin account to extract the system's LSASS Microsoft Windows Local Security Authority Subsystem Service (LSASS) process memory. LSASS is used to enforce security policy and contains all usernames, passwords, and hashes for accounts that have accessed the target system. UNC6692 then extracted the process memory via LimeWire before using offensive security tools to extract credentials without fear of detection. Finally, UNC6692 used a pass-the-hash technique to move laterally to the network's domain controller, preparing the threat actor to further stage and extract data of interest. Google's blog post contained indicators of compromise (IOCs) and YARA rules. UNC6692: Defender Takeaways UNC6692's attack presents a blend of social engineering , technical evasion, and a multipronged malware strategy. Google highlighted the "systematic abuse of legitimate cloud services for payload delivery and exfiltration, and for command-and-control (C2) infrastructure," in the form of the S3 bucket. Related: Microsoft Bets $10B to Boost Japan's AI, Cybersecurity This abuse, Google said, enables attackers to bypass traditional network reputation filters and blend into legitimate cloud traffic. "Defenders must now look beyond process monitoring to gain clear visibility into browser activity and unauthorized cloud traffic," the authors wrote. "As threat actors continue to professionalize these modular, cross-platform methodologies, the ability to correlate disparate events across the browser, local Python environments, and cloud egress points will be critical for early detection." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. See more from Alexander Culafi Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports The Total Economic Impact™ Of Google SecOps AI-driven SecOps: Transforming Financial Services Security The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps The Total Economic Impact™ Of Google SecOps The Business Value of Google Threat Intelligence Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars Editor's Choice Vulnerabilities & Threats EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses by Rob Wright Apr 14, 2026 8 Min Read Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks Threat Intelligence Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats Jan 2, 2026 Cyber Risk Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult Jan 12, 2026 | 7 Min Read Endpoint Security CISOs Face a Tighter Insurance Market in 2026 Jan 5, 2026 | 7 Min Read Threat Intelligence 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child Jan 30, 2026 | 8 Min Read Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe Webinars How Well Can You See What's in Your Cloud? Thurs, June 4, 2026 at 1:00pm EST Implementing CTEM: Beyond Vulnerability Management Thurs, May 21, 2026 at 1pm EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Mon, May 11, 2026 at 1:00pm ET Tips for Managing Cloud Security in a Hybrid Environment? Thurs, May 7, 2026 at 1pm EST Zero Trust Architecture for Cloud environments: Implementation Roadmap Tues, May 12, 2026 at 1pm EST More Webinars White Papers 7 best practices for secrets lifecycle management Reinventing the SOC with agentic AI Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Explore More White Papers Black Hat Asia | Marina Bay Sands, Singapore Experience cutting-edge cybersecurity insights in this four-day event featuring e