Salaries climb fast as demand surges for experts who blend AI know-how with hands-on hardware skills. Firms in robotics, military tech, an...
A newly tracked threat cluster identified as UNC6692 has been observed carrying out targeted intrusions by abusing Microsoft Teams, relying heavily on social engineering to deliver a sophisticated and multi-stage malware framework.
According to findings from Mandiant, the attackers impersonate internal IT help desk personnel and persuade employees to accept chat requests originating from accounts outside their organization. This method allows them to bypass traditional email-based phishing defenses by exploiting trust in workplace collaboration tools.
The attack typically begins with a deliberate email bombing campaign, where the victim’s inbox is flooded with large volumes of spam messages. This is designed to create confusion and urgency. Shortly after, the attacker initiates contact through Microsoft Teams, posing as technical support and offering assistance to resolve the email issue.
This combined tactic of inbox flooding followed by help desk impersonation is not entirely new. It has previously been linked to affiliates of the Black Basta ransomware group. Although that group ceased operations, the continued use of this playbook demonstrates how effective intrusion techniques often persist beyond the lifespan of the original actors.
Separate research published by ReliaQuest shows that these campaigns are increasingly focused on senior personnel. Between March 1 and April 1, 2026, 77% of observed incidents targeted executives and high-level employees, a notable increase from 59% earlier in the year. In some cases, attackers initiated multiple chat attempts within seconds, intensifying pressure on the victim to respond.
In many similar attacks, victims are convinced to install legitimate remote monitoring and management tools such as Quick Assist or Supremo Remote Desktop, which are then misused to gain direct system control. However, UNC6692 introduces a variation in execution.
Instead of deploying remote access software immediately, the attackers send a phishing link through Teams. The message claims that the link will install a patch to fix the email flooding problem. When clicked, the link directs the victim to download an AutoHotkey script hosted on an attacker-controlled Amazon S3 bucket. The phishing interface is presented as a tool named “Mailbox Repair and Sync Utility v2.1.5,” making it appear legitimate.
Once executed, the script performs initial reconnaissance to gather system information. It then installs a malicious browser extension called SNOWBELT on Microsoft Edge. This is achieved by launching the browser in headless mode and using command-line parameters to load the extension without user visibility.
To reduce the risk of detection, the attackers use a filtering mechanism known as a gatekeeper script. This ensures that only intended victims receive the full payload, helping evade automated security analysis environments. The script also verifies whether the victim is using Microsoft Edge. If not, the phishing page displays a persistent warning overlay, guiding the user to switch browsers.
After installation, SNOWBELT enables the download of additional malicious components, including SNOWGLAZE, SNOWBASIN, further AutoHotkey scripts, and a compressed archive containing a portable Python runtime with required libraries.
The phishing page also includes a fake configuration panel with a “Health Check” option. When users interact with it, they are prompted to enter their mailbox credentials under the assumption of authentication. In reality, this information is captured and transmitted to another attacker-controlled S3 storage location.
The SNOW malware framework operates as a coordinated system. SNOWBELT functions as a JavaScript-based backdoor that receives instructions from the attacker and forwards them for execution. SNOWGLAZE acts as a tunneling component written in Python, establishing a secure WebSocket connection between the compromised machine and the attacker’s command-and-control infrastructure. SNOWBASIN provides persistent remote access, allowing command execution through system shells, capturing screenshots, transferring files, and even removing itself when needed. It operates by running a local HTTP server on ports 8000, 8001, or 8002.
Once inside the network, the attackers expand their control through a series of post-exploitation activities. They scan for commonly used network ports such as 135, 445, and 3389 to identify opportunities for lateral movement. Using the SNOWGLAZE tunnel, they establish remote sessions through tools like PsExec and Remote Desktop.
Privilege escalation is achieved by extracting sensitive credential data from the system’s LSASS process, a critical Windows component responsible for storing authentication information. Attackers then use the Pass-the-Hash technique, which allows them to authenticate across systems using stolen password hashes without needing the actual passwords.
To extract valuable data, they deploy tools such as FTK Imager to capture sensitive files, including Active Directory databases. These files are staged locally before being exfiltrated using file transfer utilities like LimeWire.
Mandiant researchers note that this campaign reflects an evolution in attack strategy by combining social engineering, custom malware, and browser-based persistence mechanisms. A key element is the abuse of trusted cloud platforms for hosting malicious payloads and managing command-and-control operations. Because these services are widely used and trusted, malicious traffic can blend in with legitimate activity, making detection more difficult.
A related campaign reported by Cato Networks underlines similar tactics, where attackers use voice-based phishing within Teams to guide victims into executing a PowerShell script that deploys a WebSocket-based backdoor known as PhantomBackdoor.
Security experts emphasize that collaboration platforms must now be treated as primary attack surfaces. Controls such as verifying help desk communications, restricting external access, limiting screen sharing, and securing PowerShell execution are becoming essential defenses.
Microsoft has also warned that attackers are exploiting cross-organization communication within Teams to establish remote access using legitimate support tools. After initial compromise, they conduct reconnaissance, deploy additional payloads, and establish encrypted connections to their infrastructure.
To maintain persistence, attackers may deploy fallback remote management tools such as Level RMM. Data exfiltration is often carried out using synchronization tools like Rclone. They may also use built-in administrative protocols such as Windows Remote Management to move laterally toward high-value systems, including domain controllers.
These intrusion chains rely heavily on legitimate software and standard administrative processes, allowing attackers to remain hidden within normal enterprise activity across multiple stages of the attack lifecycle.
The attack began on April 6 and continued into April 7, impacting core digital infrastructure used for emergency response and municipal operations. Officials said the incident significantly affected their ability to manage essential services, including administrative and public-facing functions.
Governor Tim Walz responded by signing an executive order authorizing the Minnesota National Guard to support recovery efforts.
"Cyberattacks are an evolving threat that can strike anywhere, at any time," said Governor Walz. "Swift coordination between state and local experts matters in these moments. That's why I am authorizing the National Guard to support Winona County as they work to protect critical systems and maintain essential services."
County officials confirmed that teams have been working continuously since detecting the breach. The response involves coordination with Minnesota Information Technology Services, the Minnesota Bureau of Criminal Apprehension, the League of Minnesota Cities, the Federal Bureau of Investigation, and external cybersecurity experts.
Despite these efforts, authorities acknowledged that the scale and complexity of the attack exceeded both internal capabilities and commercial support, prompting a formal request for assistance from the National Guard.
Under the executive order, the Adjutant General is authorized to deploy personnel, equipment, and additional resources to assist with the response. The state can also procure necessary services, with costs covered through Minnesota’s general fund.
The order is currently active and will remain in place until the situation stabilizes or is officially lifted. The immediate focus is on containing the threat, preventing further damage, and restoring affected systems.
Officials emphasized that emergency services remain operational. Systems supporting 911 calls, fire response, and other urgent services are functioning, ensuring public safety is not compromised.
However, disruptions have slowed other county operations, and residents may experience delays while systems are restored.
Authorities have not yet disclosed the exact nature of the cyberattack or confirmed whether ransomware is involved.
The FBI, along with state agencies and cybersecurity experts, is investigating the incident. The probe aims to determine how the breach occurred, identify affected systems, and assess whether sensitive data was accessed.
This event follows a ransomware incident reported by Winona County in January 2026.
At that time, officials stated, "We recently identified and responded to a ransomware incident affecting our computer network. Upon discovery, we immediately initiated an investigation to assess the scope and impact of the incident."
During the earlier attack, a local emergency was declared to maintain service continuity. While emergency operations remained active, other services faced temporary disruptions.
The recurrence of cyber incidents within a short period has raised concerns about ongoing vulnerabilities and the growing cyber threat landscape for local governments. The incident highlights a broader trend: smaller government bodies are increasingly targeted by sophisticated cyberattacks but often lack the resources to respond effectively.
As systems go offline, public services are immediately affected, and recovery can take time. While state support is helping stabilize operations in Winona County, the situation underscores the need for stronger cybersecurity defenses at the local level.