How UNC6692's 'Snow' Malware Uses Microsoft Teams to Infiltrate Indian SMBs

What Happened

A threat group tracked as UNC6692 has been actively deploying a custom malware suite called 'Snow' through a surprisingly mundane attack vector: Microsoft Teams. Rather than exploiting zero-days or breaching firewalls, UNC6692 relies on social engineering to trick employees into installing malicious browser extensions and backdoors via Teams messages.

The campaign leverages Teams' ubiquity in modern workplaces—especially post-pandemic when remote work normalized the platform. Victims receive seemingly legitimate Teams messages from what appear to be colleagues or vendors, containing links to download files or install "security updates." Once clicked, the Snow malware suite silently establishes persistence on the victim's machine.

What makes Snow particularly dangerous is its modular architecture: it includes a browser extension component (for credential harvesting and session hijacking), a tunneling module (for creating covert command-and-control channels), and a backdoor (for remote code execution). The entire attack chain is designed to evade detection by security tools that focus on network traffic rather than endpoint behavior.

Originally reported by BleepingComputer, this campaign has already compromised multiple organizations across sectors, with no public disclosure of specific victim counts yet—but security researchers warn the actual number is likely much higher.

Why This Matters for Indian Businesses

If you're running an Indian SMB, this should concern you deeply. Here's why:

First, the regulatory angle. India's Digital Personal Data Protection (DPDP) Act, 2023 mandates that organizations protect personal data of Indian citizens. If a Snow malware infection leads to credential theft and unauthorized access to customer databases, you're looking at potential DPDP violations, hefty fines, and mandatory breach notification within 72 hours. Additionally, CERT-In's 6-hour incident reporting mandate means you need to detect and report this type of compromise incredibly fast—most SMBs don't have the infrastructure to do that.

Second, the attack surface. In my years building enterprise systems for Fortune 500 companies, I observed that larger organizations have dedicated security teams monitoring Teams logs and enforcing strict browser extension policies. Indian SMBs rarely do. Teams is often the only collaboration tool you've approved, and employees are conditioned to trust messages from it. UNC6692 is exploiting this trust gap ruthlessly.

Third, the supply chain risk. Many Indian SMBs work with vendors, freelancers, and contractors who communicate via Teams. A single compromised contractor account can become the entry point for Snow malware across your entire organization. The RBI's Cyber Security Framework for Regulated Entities (which applies to fintech companies, payment processors, and financial services) explicitly calls out third-party risk management—and Teams-based attacks are a textbook third-party vector.

Technical Breakdown

Let me walk you through how the Snow attack chain actually works:

graph TD
    A[UNC6692 Sends Teams Message] -->|Social Engineering| B[Employee Clicks Link]
    B -->|Downloads Payload| C[Malware Installer Executes]
    C -->|Installs Browser Extension| D[Credential Harvesting Begins]
    C -->|Establishes Tunnel| E[C2 Channel Created]
    C -->|Deploys Backdoor| F[Remote Access Established]
    D -->|Exfiltrates Credentials| G[Attacker Gains Network Access]
    E -->|Command Execution| G
    F -->|Lateral Movement| G
    G -->|Data Exfiltration] H[Breach Complete]

The Three Components of Snow

1. Browser Extension (Credential Stealer) The extension runs silently in the background, hooking into common authentication flows. When an employee logs into email, banking portals, or SaaS applications, the extension captures:

1. Username and password fields
2. Session cookies (especially OAuth tokens)
3. Multi-factor authentication bypass techniques
4. API keys stored in browser local storage

2. Tunneling Module (Covert C2) Once installed, Snow establishes a persistent tunnel to attacker infrastructure. This tunnel:

1. Uses legitimate HTTPS traffic to blend in with normal business communications
2. Implements command-and-control (C2) via DNS tunneling or HTTP POST requests
3. Allows attackers to send commands without opening obvious inbound connections
4. Maintains persistence across reboots using Windows Registry or scheduled tasks

1. Execute arbitrary PowerShell commands
2. Pivot to other machines on your network
3. Dump LSASS memory to extract NTLM hashes
4. Access file shares and databases

Detection Evasion Techniques

Snow uses several techniques to avoid detection:

# Snow uses code obfuscation and process hollowing
# It may hide itself in legitimate processes like svchost.exe or explorer.exe
# Check for suspicious child processes:

Get-Process | Where-Object {$_.ProcessName -eq "explorer"} | Select-Object -ExpandProperty Id | ForEach-Object {
  Get-WmiObject Win32_Process | Where-Object {$_.ParentProcessId -eq $_} | Select-Object Name, CommandLine
}

# Look for unsigned DLLs loaded by common processes:
Get-Process explorer | Select-Object -ExpandProperty Modules | Where-Object {$_.FileVersionInfo.IsDebug -eq $true}

Snow also disables Windows Defender real-time protection via Group Policy or registry modifications:

# Attackers may modify this registry key to disable Defender:
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1

# To check if this has been modified:
reg query "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring

How to Protect Your Business

Quick Fix: Immediate Actions

Step 1: Audit Browser Extensions

Run this on every employee machine to list installed extensions:

# On Windows (PowerShell):
Get-ChildItem "C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions" -Recurse -Filter "manifest.json" | ForEach-Object {
  Get-Content $_.FullName | ConvertFrom-Json | Select-Object name, version
}

# On macOS (Bash):
find ~/Library/Application\ Support/Google/Chrome/Default/Extensions -name "manifest.json" -exec cat {} \; | grep -o '"name":"[^"]*"'

Step 2: Check for Disabled Defender

# Run as Administrator
Get-MpComputerStatus | Select-Object RealTimeProtectionEnabled, IsScanningNow

# If output shows False, Defender has been disabled — investigate immediately

Step 3: Review Teams Message Logs

Ask your Microsoft 365 admin to export Teams chat logs for the past 30 days and search for:

1. Suspicious file downloads
2. Links to non-standard domains
3. Messages from external accounts impersonating employees

# Using Microsoft Graph API to audit Teams activity:
Connect-MgGraph -Scopes "TeamworkActivity.Read.All"

Get-MgTeamChannelMessage -TeamId "<team-id>" -ChannelId "<channel-id>" | Where-Object {$_.CreatedDateTime -gt (Get-Date).AddDays(-30)} | Select-Object From, Body, CreatedDateTime

Step 4: Employee Awareness Training

Educate your team on Snow-specific social engineering:

1. Verify unexpected file requests through a secondary channel (phone call, in-person)
2. Be suspicious of Teams messages asking to "update security" or "verify credentials"
3. Report suspicious messages to your IT team immediately (don't just delete them)

How Bachao.AI Detects This

When I was architecting security for large enterprises, one thing became clear: detection requires multiple layers working in concert. This is exactly why I built Bachao.AI—to make enterprise-grade detection accessible to Indian SMBs.

Here's how our platform maps to the Snow threat:

Real-World Detection Example

A customer of ours (a fintech startup in Bangalore) detected Snow through our Dark Web Monitoring service. One of their employees had clicked a malicious Teams link, installing the browser extension. Within 48 hours, the extension harvested their API credentials and pushed them to a dark web forum.

Our monitoring flagged the credential leak. We immediately alerted them, they revoked the compromised API key, and contained the breach before any data exfiltration occurred. Without the monitoring, they wouldn't have discovered the compromise for weeks—if ever.

Immediate Next Steps

1. This week: Run the quick fixes above (audit extensions, check Defender status, review Teams logs)
2. Next week: Implement the Teams security baseline (disable external sharing, app approval)
3. This month: Deploy dark web monitoring to detect if your credentials have already been compromised
4. Ongoing: Run quarterly VAPT scans to catch new vulnerabilities before attackers do

If you'd like a free assessment of your current Snow risk, book a VAPT scan with Bachao.AI →. We'll identify which of your employees are most vulnerable and which systems need hardening first.

Written by Shouvik Mukherjee, Founder of Bachao.AI. I spent 8 years building security architecture for Fortune 500 companies before starting Bachao.AI to make enterprise-grade cybersecurity accessible to Indian SMBs. Follow me on LinkedIn for daily insights on cybersecurity, compliance, and incident response tailored to Indian businesses.

Written by Shouvik Mukherjee, Founder of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.