UNC6692 Combines Social Engineering, Malware, Cloud Abuse

СLOUD SECURITY THREAT INTELLIGENCE APPLICATION SECURITY CYBERATTACKS & DATA BREACHES NEWS UNC6692 Combines Social Engineering, Malware, Cloud Abuse A newly discovered threat actor is using Microsoft Teams, AWS S3 buckets, and custom "Snow" malware in a multipronged campaign. Alexander Culafi,Senior News Writer,Dark Reading April 27, 2026 4 Min Read SOURCE: MARC MUENCH VIA ALAMY STOCK PHOTO A new threat actor is combining social engineering techniques, abuse of legitimate cloud infrastructure, and custom malware together to create what appears to be novel attack chain.  Google Threat Intelligence Group (GTIG) and Mandiant on April 23 published a blog post detailing the activities of a threat actor tracked as UNC6692. While the researchers did not attribute the threat actor to any previously established identity or location ( calling it only a "newly tracked threat group"), they described a multistage intrusion campaign leveraging both persistent social engineering and custom modular malware. The attack also involves the abuse of legitimate cloud infrastructure in the form of an AWS S3 bucket. A Google spokesperson tells Dark Reading that based on observed attacker tactics, techniques, and procedures (TTPs), the researchers suspect the UNC6692 is financially motivated. "Their operations appear focused on gaining access and stealing credentials for further actions," the blog post authors added. Related:Navigating the Unique Security Risks of Asia's Digital Supply Chain Dark Reading asked about the attacker's point of origin, but because it utilized AWS infrastructure, Google was unable to obtain evidence pointing to a possible attribution.  The UNC6692 Attack Chain Loading... In late December, UNC6692 conducted a campaign where it flooded a target's inbox with email messages before contacting them through Microsoft Teams, posing as help desk personnel assigned to fix the problem. The attacker provided a phishing link through the Teams message, prompting the target to click a link that installs a local patch to fix and prevent email spamming.  The target clicked the link and opened an HTML page which "ultimately downloaded a renamed AutoHotKey binary and an AutoHotkey script, sharing the same name, from a threat actor-controlled AWS S3 bucket." "If the AutoHotkey binary is named the same as a script file in its current directory, AutoHotkey will automatically run the script with no additional command line arguments," the blog post read. "Evidence of AutoHotKey execution was recorded immediately following the downloads resulting in initial reconnaissance commands and the installation of SNOWBELT, a malicious Chromium browser extension (not distributed through the Chrome Web Store)." Through the Snowbelt extension now installed on the user's computer, UNC6692 downloaded the Python tunneler Snowglaze, the Python bindshell Snowbasin (a persistent backdoor for remote code execution), AutoHotkey scripts, and "a ZIP archive containing a portable Python executable and required libraries." Related:Microsoft, Salesforce Patch AI Agent Data Leak Flaws Once they gained initial access, the attacker used a Python script to scan the local network for ports 135, 445, and 3389 and enumerate local administrator accounts. They then used a local administrator account to initiate a remote desktop protocol (RDP) session through Snowglaze from the victim system to a backup server.  Now with access to the backup server, the threat actor further uses the local admin account to extract the system's LSASS Microsoft Windows Local Security Authority Subsystem Service (LSASS) process memory. LSASS is used to enforce security policy and contains all usernames, passwords, and hashes for accounts that have accessed the target system. UNC6692 then extracted the process memory via LimeWire before using offensive security tools to extract credentials without fear of detection. Finally, UNC6692 used a pass-the-hash technique to move laterally to the network's domain controller, preparing the threat actor to further stage and extract data of interest.  Google's blog post contained indicators of compromise (IOCs) and YARA rules. UNC6692: Defender Takeaways UNC6692's attack presents a blend of social engineering, technical evasion, and a multipronged malware strategy. Google highlighted the "systematic abuse of legitimate cloud services for payload delivery and exfiltration, and for command-and-control (C2) infrastructure," in the form of the S3 bucket.  Related:Microsoft Bets $10B to Boost Japan's AI, Cybersecurity This abuse, Google said, enables attackers to bypass traditional network reputation filters and blend into legitimate cloud traffic.  "Defenders must now look beyond process monitoring to gain clear visibility into browser activity and unauthorized cloud traffic," the authors wrote. "As threat actors continue to professionalize these modular, cross-platform methodologies, the ability to correlate disparate events across the browser, local Python environments, and cloud egress points will be critical for early detection." In a statement, an AWS spokesperson tells Dark Reading stating that the company prohibits the abuse of its product in its terms of service, and if anyone suspects such abuse may be taking place, they can report it to AWS Trust & Safety through the appropriate form. “AWS has clear terms that prohibit the use of our services to violate the security, integrity, or availability of others," the spokesperson says. "When we receive reports of potential violations of our terms, we act quickly to review and take appropriate action." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps The Total Economic Impact™ Of Google SecOps The Business Value of Google Threat Intelligence The Total Economic Impact™ Of Google SecOps AI-driven SecOps: Transforming Financial Services Security Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like СLOUD SECURITY APT41 Delivers 'Zero-Detection' Backdoor to Harvest Cloud Credentials by Elizabeth Montalbano APR 13, 2026 СLOUD SECURITY TeamPCP Turns Cloud Infrastructure Into Crime Bots by Jai Vijayan, Contributing Writer FEB 09, 2026 СLOUD SECURITY The Cloud Edge Is the New Attack Surface by Robert Lemos, Contributing Writer SEP 17, 2025 СLOUD SECURITY Phishing Empire Runs Undetected on Google, Cloudflare by Elizabeth Montalbano, Contributing Writer SEP 04, 2025 Editor's Choice СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ CYBERATTACKS & DATA BREACHES Stuxnet, The Prequel: Earlier Version Of Cyberweapon Discovered byKelly Jackson Higgins FEB 26, 2013 5 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Loading... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST More Webinars White Papers 7 best practices for secrets lifecycle management Reinventing the SOC with agentic AI Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS