UNC6692 Launches Sophisticated Snow Malware Campaign
Security researchers discovered a new threat campaign on April 25, 2026, where the UNC6692 group deploys a custom malware suite called Snow through elaborate social engineering schemes. The attackers impersonate IT helpdesk personnel to trick employees into installing malicious software that establishes persistent access to corporate networks.
The Snow malware suite represents a significant evolution in targeted attacks, combining three distinct components that work together to maintain long-term access. The first component is a malicious browser extension that captures credentials and session tokens from popular web applications. The second element functions as a network tunneler, creating encrypted channels for command and control communications while bypassing traditional network security controls.
The third and most concerning component operates as a sophisticated backdoor that maintains persistence across system reboots and security updates. This backdoor communicates with attacker infrastructure through legitimate cloud services, making detection extremely challenging for traditional security tools. The Hacker News reports that the campaign has been active since early 2026, with victims spanning financial services, healthcare, and technology sectors.
UNC6692's social engineering tactics involve extensive reconnaissance of target organizations. Attackers research company structures, employee hierarchies, and internal IT procedures before initiating contact. They often reference recent legitimate IT communications or ongoing projects to establish credibility. The group has demonstrated particular skill in mimicking authentic helpdesk protocols, including proper ticket numbering systems and escalation procedures that employees expect from genuine IT support interactions.
Enterprise Networks Face Widespread Snow Malware Exposure
Organizations across North America and Europe have fallen victim to UNC6692's Snow malware campaign, with particular concentration in sectors handling sensitive financial and healthcare data. The threat group specifically targets companies with distributed workforces where remote IT support calls are common and less likely to raise immediate suspicion among employees.
The malware affects systems running Windows 10 and Windows 11 across all major browser platforms including Chrome, Firefox, and Edge. The browser extension component requires administrative privileges for installation, which attackers obtain through their social engineering scripts that convince users to temporarily elevate permissions for supposed IT maintenance tasks. Once installed, the extension persists across browser updates and maintains access even when users switch between different browsers on the same system.
Small to medium enterprises appear particularly vulnerable due to limited security awareness training and less sophisticated incident response capabilities. However, several Fortune 500 companies have also reported successful infiltrations, indicating that organization size alone doesn't provide protection against these targeted social engineering attacks. The network tunneler component specifically targets organizations using cloud-based productivity suites, as it can intercept and manipulate communications with services like Microsoft 365, Google Workspace, and Salesforce platforms.
Snow Malware Technical Analysis and Mitigation Strategies
The Snow malware suite employs advanced evasion techniques that make traditional signature-based detection ineffective. The browser extension component uses legitimate web extension APIs to avoid triggering browser security warnings, while the tunneler disguises its traffic as routine HTTPS communications with popular content delivery networks. Security teams should implement behavioral monitoring that can detect unusual patterns in browser extension installations and network traffic anomalies.
Organizations can protect against UNC6692 attacks by implementing strict verification procedures for all IT support requests. Employees should be trained to independently verify any unsolicited IT support calls through established internal channels before providing system access or installing software. Hackread analysis suggests implementing callback verification systems where employees hang up and call back through official IT support numbers listed in company directories.
Technical mitigation requires deploying endpoint detection and response solutions capable of monitoring browser extension installations and network tunnel creation. Security teams should configure alerts for any browser extensions installed outside of approved enterprise software catalogs. Network monitoring should focus on detecting encrypted tunnels to cloud infrastructure that don't match normal business patterns. Registry monitoring can help identify the backdoor component, which creates specific persistence mechanisms in Windows startup locations and scheduled tasks.
Immediate response actions include auditing all recently installed browser extensions across the organization and reviewing network logs for suspicious encrypted connections to cloud services. Organizations should also implement application whitelisting to prevent unauthorized software installation and require multi-factor authentication for all administrative actions. Regular security awareness training should specifically address the social engineering tactics used by UNC6692, including scenarios where attackers reference legitimate company information to establish credibility.
