| SYMBOL | COMMON_NAME | aka. SYNONYMS |
UNC6692 is a threat actor that employs social engineering tactics, such as impersonating IT helpdesk personnel, to gain initial access to victim environments. They utilize a custom modular malware suite, including components like SNOWBELT, SNOWGLAZE, and SNOWBASIN, to facilitate deep network penetration and lateral movement. After extracting credentials from the LSASS process memory, they leverage Pass-The-Hash techniques to authenticate to domain controllers and exfiltrate sensitive data using LimeWire. The campaign highlights the systematic abuse of legitimate cloud services for payload delivery and command-and-control infrastructure.
| 2026-04-23
⋅
Mandiant
⋅
Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite SNOWBASIN UNC6692 |