Signal

UNC6692 threat group impersonates help desk staff to deliver Snow malware via Microsoft Teams

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-04-24 10:38 UTCUpdated 2026-04-25 09:28 UTC

rss

malwarethreat_actorssecurity_toolingincident_response

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (2)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (2 domains)

2 top sources shown

Crime crew impersonates help desk, abuses Microsoft Teams to steal your data

The Register Security · News · go.theregister.com · 2026-04-25 09:28 UTC

UNC6692 impersonates help desk employees to drop SNOW malware via Teams

SC Media · News · scworld.com · 2026-04-24 19:23 UTC

limited source diversity in top sources

View all evidence

Overview

A previously unknown cybercrime group identified as UNC6692 is conducting data-stealing attacks by impersonating help desk employees and abusing Microsoft Teams chat invitations.

Entities

MicrosoftSnow malware

Score total

0.85

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

Why now

Recent discovery of UNC6692's campaign using Teams chat for malware delivery.
Growing use of collaboration platforms by attackers to bypass traditional defenses.
Urgent need for organizations to strengthen user awareness and incident response around Teams.

Why it matters

Highlights risks of social engineering via collaboration tools like Microsoft Teams.
Demonstrates use of custom malware (Snow) for data theft in targeted attacks.
Alerts security teams to new threat actor UNC6692 employing familiar phishing tactics.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: medium

Recurring claims

UNC6692 impersonates help desk employees to deliver Snow malware via Microsoft Teams chat.

How sources frame it

SC Media: neutral
The Register Security: neutral

This report consolidates recent findings on UNC6692's use of Microsoft Teams and help desk impersonation to spread Snow malware, emphasizing the evolving threat landscape in collaboration platforms.

All evidence

Crime crew impersonates help desk, abuses Microsoft Teams to steal your data

The Register Security · go.theregister.com · 2026-04-25 09:28 UTC

UNC6692 impersonates help desk employees to drop SNOW malware via Teams

SC Media · scworld.com · 2026-04-24 19:23 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 2 / 0

Top publishers (this list)

The Register Security (1)
SC Media (1)

Top origin domains (this list)

go.theregister.com (1)
scworld.com (1)