UNC6692 Email Bombing Delivers Snow Malware for Persistent Access
UNC6692 bombards victims with thousands of emails, then poses as IT support to deploy Snowbelt, Snowglaze, and Snowbasin malware for persistent backdoor access. No CVEs involved.
Executive Summary
UNC6692, a threat actor tracked by Mandiant, has been observed using a novel two-stage attack chain that combines email bombing with social engineering to deploy three variants of the Snow malware family — Snowbelt, Snowglaze, and Snowbasin — according to a SecurityWeek report published April 27, 2026. The attacker first floods a target's inbox with thousands of spam emails, then contacts the victim posing as IT support, instructing them to install remote access software that ultimately delivers the malware for persistent backdoor access. No CVE IDs or specific product vulnerabilities are associated with this campaign; the technique relies entirely on human manipulation.
Technical Analysis
The attack begins with an email bombing phase, where UNC6692 sends a high volume of junk emails to a target's corporate or personal inbox. This overwhelms the victim, creating a pretext for the second stage: the attacker contacts the victim via phone or chat, impersonating internal IT support or a trusted vendor. The social engineer claims the email flood is a security incident requiring immediate remediation and instructs the victim to install a legitimate remote desktop tool (such as AnyDesk or TeamViewer) or a malicious payload disguised as a security fix.
Once the victim grants remote access or executes the provided file, the attacker deploys one of three Snow malware variants:
- Snowbelt: A backdoor that establishes persistent C2 communication, capable of file exfiltration and command execution.
- Snowglaze: A variant focused on credential theft and keylogging, often used for lateral movement.
- Snowbasin: A modular backdoor that can load additional plugins, including for screen capture and data staging.
Mandiant attributes the activity to UNC6692, a cluster previously linked to targeted intrusions in the technology and telecommunications sectors, though the current campaign's victimology was not detailed in the report. The malware families share code similarities and infrastructure overlaps, suggesting a single development team.
Mitigations & Recommendations
Defenders should implement email filtering rules that detect and quarantine bulk spam bursts, and configure rate-limiting on inbound email to flag anomalous volumes. User awareness training should specifically cover scenarios where IT support contacts employees unsolicited after an email disruption — legitimate IT teams rarely initiate contact via phone for spam issues. Organizations should enforce application allowlisting to block unauthorized remote desktop tools and monitor for unusual help-desk calls coinciding with email floods. Network detection teams can look for C2 traffic from Snow variants using known indicators (if available from Mandiant or threat intel feeds).
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
