To establish persistence for the extension, the code added a shortcut to an AutoHotKey script to the Windows startup and created two scheduled tasks to open a windowless Edge process and load Snowbelt, and to kill headless Edge processes.Next, the attackers used the malicious extension to download additional payloads, including AutoHotkey scripts, a ZIP archive, the Snowglaze tunnel, and the Snowbasin malware, from an attacker-controlled AWS S3 bucket.Reconnaissance, lateral movement, and credential harvestingUNC6692 used Snowglaze to establish a Sysinternals PsExec session to the system and enumerate administrator accounts. Using one of these accounts, it then initiated a Remote Desktop Protocol (RDP) session to a backup server, via the Snowglaze tunnel.“Though not directly observed, the threat actor may have acquired the local administrator accounts credentials via multiple attack paths such as authenticated Server Message Block (SMB) share enumeration,” GTIG notes.The threat actor then dumped the LSASS process memory from the backup server and exfiltrated it via LimeWire to extract usernames, passwords, and user account hashes from it.Next, UNC6692 used Pass-The-Hash to access the network’s domain controller, downloaded FTK Imager to it, used the tool to mount the local storage drive and write the Active Directory database file, Security Account Manager (SAM), System, and Security registry hives to the\Downloadsfolder, and used LimeWire to exfiltrate the data.The Snow malwareThe three main components of the modular ‘Snow’ malware framework used in the attack, Snowbelt, Snowglaze, and Snowbasin, “form a coordinated pipeline that facilitates an attacker’s journey from initial browser-based access to the internal network of the organization,” GTIG says.Snowbelt intercepts commands and delivers them to Snowbasin for execution, and provides authenticated access to the environment, enabling lateral movement and privilege escalation.A Python-based tunneler, Snowglaze creates a secure, authenticated WebSocket tunnel to the attackers’ command-and-control (C&C) server, facilitates SOCKS proxy operations, and hides malicious traffic.Snowbasin is a persistent backdoor functioning as a local HTTP server that supports command execution, screenshot capture, and data harvesting.“The UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a foothold into environments. […] By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic,” GTIG notes.Related:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:New Wiper Malware Targeted Venezuelan Energy Sector Prior to US InterventionRelated:Google Warns of New Campaign Targeting BPOs to Steal Corporate DataRelated:Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises
Next, the attackers used the malicious extension to download additional payloads, including AutoHotkey scripts, a ZIP archive, the Snowglaze tunnel, and the Snowbasin malware, from an attacker-controlled AWS S3 bucket.Reconnaissance, lateral movement, and credential harvestingUNC6692 used Snowglaze to establish a Sysinternals PsExec session to the system and enumerate administrator accounts. Using one of these accounts, it then initiated a Remote Desktop Protocol (RDP) session to a backup server, via the Snowglaze tunnel.“Though not directly observed, the threat actor may have acquired the local administrator accounts credentials via multiple attack paths such as authenticated Server Message Block (SMB) share enumeration,” GTIG notes.The threat actor then dumped the LSASS process memory from the backup server and exfiltrated it via LimeWire to extract usernames, passwords, and user account hashes from it.Next, UNC6692 used Pass-The-Hash to access the network’s domain controller, downloaded FTK Imager to it, used the tool to mount the local storage drive and write the Active Directory database file, Security Account Manager (SAM), System, and Security registry hives to the\Downloadsfolder, and used LimeWire to exfiltrate the data.The Snow malwareThe three main components of the modular ‘Snow’ malware framework used in the attack, Snowbelt, Snowglaze, and Snowbasin, “form a coordinated pipeline that facilitates an attacker’s journey from initial browser-based access to the internal network of the organization,” GTIG says.Snowbelt intercepts commands and delivers them to Snowbasin for execution, and provides authenticated access to the environment, enabling lateral movement and privilege escalation.A Python-based tunneler, Snowglaze creates a secure, authenticated WebSocket tunnel to the attackers’ command-and-control (C&C) server, facilitates SOCKS proxy operations, and hides malicious traffic.Snowbasin is a persistent backdoor functioning as a local HTTP server that supports command execution, screenshot capture, and data harvesting.“The UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a foothold into environments. […] By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic,” GTIG notes.Related:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:New Wiper Malware Targeted Venezuelan Energy Sector Prior to US InterventionRelated:Google Warns of New Campaign Targeting BPOs to Steal Corporate DataRelated:Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises
UNC6692 used Snowglaze to establish a Sysinternals PsExec session to the system and enumerate administrator accounts. Using one of these accounts, it then initiated a Remote Desktop Protocol (RDP) session to a backup server, via the Snowglaze tunnel.“Though not directly observed, the threat actor may have acquired the local administrator accounts credentials via multiple attack paths such as authenticated Server Message Block (SMB) share enumeration,” GTIG notes.The threat actor then dumped the LSASS process memory from the backup server and exfiltrated it via LimeWire to extract usernames, passwords, and user account hashes from it.Next, UNC6692 used Pass-The-Hash to access the network’s domain controller, downloaded FTK Imager to it, used the tool to mount the local storage drive and write the Active Directory database file, Security Account Manager (SAM), System, and Security registry hives to the\Downloadsfolder, and used LimeWire to exfiltrate the data.The Snow malwareThe three main components of the modular ‘Snow’ malware framework used in the attack, Snowbelt, Snowglaze, and Snowbasin, “form a coordinated pipeline that facilitates an attacker’s journey from initial browser-based access to the internal network of the organization,” GTIG says.Snowbelt intercepts commands and delivers them to Snowbasin for execution, and provides authenticated access to the environment, enabling lateral movement and privilege escalation.A Python-based tunneler, Snowglaze creates a secure, authenticated WebSocket tunnel to the attackers’ command-and-control (C&C) server, facilitates SOCKS proxy operations, and hides malicious traffic.Snowbasin is a persistent backdoor functioning as a local HTTP server that supports command execution, screenshot capture, and data harvesting.“The UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a foothold into environments. […] By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic,” GTIG notes.Related:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:New Wiper Malware Targeted Venezuelan Energy Sector Prior to US InterventionRelated:Google Warns of New Campaign Targeting BPOs to Steal Corporate DataRelated:Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises
“Though not directly observed, the threat actor may have acquired the local administrator accounts credentials via multiple attack paths such as authenticated Server Message Block (SMB) share enumeration,” GTIG notes.The threat actor then dumped the LSASS process memory from the backup server and exfiltrated it via LimeWire to extract usernames, passwords, and user account hashes from it.Next, UNC6692 used Pass-The-Hash to access the network’s domain controller, downloaded FTK Imager to it, used the tool to mount the local storage drive and write the Active Directory database file, Security Account Manager (SAM), System, and Security registry hives to the\Downloadsfolder, and used LimeWire to exfiltrate the data.The Snow malwareThe three main components of the modular ‘Snow’ malware framework used in the attack, Snowbelt, Snowglaze, and Snowbasin, “form a coordinated pipeline that facilitates an attacker’s journey from initial browser-based access to the internal network of the organization,” GTIG says.Snowbelt intercepts commands and delivers them to Snowbasin for execution, and provides authenticated access to the environment, enabling lateral movement and privilege escalation.A Python-based tunneler, Snowglaze creates a secure, authenticated WebSocket tunnel to the attackers’ command-and-control (C&C) server, facilitates SOCKS proxy operations, and hides malicious traffic.Snowbasin is a persistent backdoor functioning as a local HTTP server that supports command execution, screenshot capture, and data harvesting.“The UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a foothold into environments. […] By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic,” GTIG notes.Related:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:New Wiper Malware Targeted Venezuelan Energy Sector Prior to US InterventionRelated:Google Warns of New Campaign Targeting BPOs to Steal Corporate DataRelated:Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises
The threat actor then dumped the LSASS process memory from the backup server and exfiltrated it via LimeWire to extract usernames, passwords, and user account hashes from it.Next, UNC6692 used Pass-The-Hash to access the network’s domain controller, downloaded FTK Imager to it, used the tool to mount the local storage drive and write the Active Directory database file, Security Account Manager (SAM), System, and Security registry hives to the\Downloadsfolder, and used LimeWire to exfiltrate the data.The Snow malwareThe three main components of the modular ‘Snow’ malware framework used in the attack, Snowbelt, Snowglaze, and Snowbasin, “form a coordinated pipeline that facilitates an attacker’s journey from initial browser-based access to the internal network of the organization,” GTIG says.Snowbelt intercepts commands and delivers them to Snowbasin for execution, and provides authenticated access to the environment, enabling lateral movement and privilege escalation.A Python-based tunneler, Snowglaze creates a secure, authenticated WebSocket tunnel to the attackers’ command-and-control (C&C) server, facilitates SOCKS proxy operations, and hides malicious traffic.Snowbasin is a persistent backdoor functioning as a local HTTP server that supports command execution, screenshot capture, and data harvesting.“The UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a foothold into environments. […] By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic,” GTIG notes.Related:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:New Wiper Malware Targeted Venezuelan Energy Sector Prior to US InterventionRelated:Google Warns of New Campaign Targeting BPOs to Steal Corporate DataRelated:Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises
Next, UNC6692 used Pass-The-Hash to access the network’s domain controller, downloaded FTK Imager to it, used the tool to mount the local storage drive and write the Active Directory database file, Security Account Manager (SAM), System, and Security registry hives to the\Downloadsfolder, and used LimeWire to exfiltrate the data.The Snow malwareThe three main components of the modular ‘Snow’ malware framework used in the attack, Snowbelt, Snowglaze, and Snowbasin, “form a coordinated pipeline that facilitates an attacker’s journey from initial browser-based access to the internal network of the organization,” GTIG says.Snowbelt intercepts commands and delivers them to Snowbasin for execution, and provides authenticated access to the environment, enabling lateral movement and privilege escalation.A Python-based tunneler, Snowglaze creates a secure, authenticated WebSocket tunnel to the attackers’ command-and-control (C&C) server, facilitates SOCKS proxy operations, and hides malicious traffic.Snowbasin is a persistent backdoor functioning as a local HTTP server that supports command execution, screenshot capture, and data harvesting.“The UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a foothold into environments. […] By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic,” GTIG notes.Related:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:New Wiper Malware Targeted Venezuelan Energy Sector Prior to US InterventionRelated:Google Warns of New Campaign Targeting BPOs to Steal Corporate DataRelated:Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises
The three main components of the modular ‘Snow’ malware framework used in the attack, Snowbelt, Snowglaze, and Snowbasin, “form a coordinated pipeline that facilitates an attacker’s journey from initial browser-based access to the internal network of the organization,” GTIG says.Snowbelt intercepts commands and delivers them to Snowbasin for execution, and provides authenticated access to the environment, enabling lateral movement and privilege escalation.A Python-based tunneler, Snowglaze creates a secure, authenticated WebSocket tunnel to the attackers’ command-and-control (C&C) server, facilitates SOCKS proxy operations, and hides malicious traffic.Snowbasin is a persistent backdoor functioning as a local HTTP server that supports command execution, screenshot capture, and data harvesting.“The UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a foothold into environments. […] By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic,” GTIG notes.Related:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:New Wiper Malware Targeted Venezuelan Energy Sector Prior to US InterventionRelated:Google Warns of New Campaign Targeting BPOs to Steal Corporate DataRelated:Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises
Snowbelt intercepts commands and delivers them to Snowbasin for execution, and provides authenticated access to the environment, enabling lateral movement and privilege escalation.A Python-based tunneler, Snowglaze creates a secure, authenticated WebSocket tunnel to the attackers’ command-and-control (C&C) server, facilitates SOCKS proxy operations, and hides malicious traffic.Snowbasin is a persistent backdoor functioning as a local HTTP server that supports command execution, screenshot capture, and data harvesting.“The UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a foothold into environments. […] By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic,” GTIG notes.Related:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:New Wiper Malware Targeted Venezuelan Energy Sector Prior to US InterventionRelated:Google Warns of New Campaign Targeting BPOs to Steal Corporate DataRelated:Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises
A Python-based tunneler, Snowglaze creates a secure, authenticated WebSocket tunnel to the attackers’ command-and-control (C&C) server, facilitates SOCKS proxy operations, and hides malicious traffic.Snowbasin is a persistent backdoor functioning as a local HTTP server that supports command execution, screenshot capture, and data harvesting.“The UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a foothold into environments. […] By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic,” GTIG notes.Related:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:New Wiper Malware Targeted Venezuelan Energy Sector Prior to US InterventionRelated:Google Warns of New Campaign Targeting BPOs to Steal Corporate DataRelated:Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises
Snowbasin is a persistent backdoor functioning as a local HTTP server that supports command execution, screenshot capture, and data harvesting.“The UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a foothold into environments. […] By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic,” GTIG notes.Related:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:New Wiper Malware Targeted Venezuelan Energy Sector Prior to US InterventionRelated:Google Warns of New Campaign Targeting BPOs to Steal Corporate DataRelated:Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises
Source: SecurityWeek
