EarlyNarratives
Pricing
Start free trialSign in
Start free trialSign in
Storyline

UNC6692 uses Microsoft Teams social engineering to deploy custom malware

The threat group UNC6692 has been observed conducting a sophisticated intrusion campaign by impersonating IT helpdesk employees on Microsoft Teams.

Current brief openSource links open
This current storyline is open here with summary, metadata, source links, continuity context, and full evidence. Paid is for compare-over-time, alerts, exports, and workflow.
BackEvidence (2)Get the free brief by emailStart free trial
No card needed for the free brief.
Evidence trail (top sources)
top sources (2 domains)domains are deduped. counts indicate coverage, not truth.
2 top sources shown
limited source diversity in top sources
View all evidence
Overview

The threat group UNC6692 has been observed conducting a sophisticated intrusion campaign by impersonating IT helpdesk employees on Microsoft Teams.

Score total
1.25
Momentum 24h
2
Posts
2
Origins
2
Source types
2
Duplicate ratio
0%
Why now
  • The campaign was active as recently as April 2026.
  • Attackers are increasingly leveraging collaboration platforms for initial access.
  • Understanding these tactics aids in timely detection and incident response.
Why it matters
  • Demonstrates evolving social engineering tactics exploiting trusted enterprise communication platforms.
  • Highlights use of custom malware and browser extensions for deep network compromise.
  • Shows the importance of vigilance against phishing via collaboration tools like Microsoft Teams.
Continuity snapshot
  • Trend status: insufficient_history.
  • Continuity stage: emerging_confirmed.
  • Current status: open.
  • 2 current source-linked posts are attached to this storyline.
All evidence
All evidence
Mandiant Blog on UNC6692 social engineering and malware
cloud.google.com · cloud.google.com · 2026-04-24 10:38 UTC
UNC6692 Impersonates IT Helpdesk via Microsoft Teams to Deploy SNOW Malware
thehackernews · thehackernews.com · 2026-04-23 18:16 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -
Showing 2 / 0
Top publishers (this list)
  • cloud.google.com (1)
  • thehackernews (1)
Top origin domains (this list)
  • cloud.google.com (1)
  • thehackernews.com (1)