“Inbox Avalanche”: Cybercriminals Unleash Multi-Stage ‘Snow’ Attack With Social Engineering Blitz

In December 2025, an avalanche of emails signaled the start of a chilling new cyber campaign. Victims found their inboxes flooded, their nerves frayed, and their digital defenses tested-not by brute technical force alone, but by a masterclass in psychological manipulation. At the center: a shadowy group known as UNC6692, blending old-school social engineering with cutting-edge malware to breach even the most vigilant organizations.

The attack began with a classic distraction: victims overwhelmed by a deluge of emails. But this was no ordinary spam campaign. Shortly after, targets received a message via Microsoft Teams from someone claiming to be IT support, offering help with the suspicious influx. The ruse deepened when victims were directed to a slick phishing page masquerading as a mailbox repair utility-complete with convincing progress bars and authentication prompts designed to harvest credentials and lull users into a false sense of security.

Behind the scenes, the attackers’ technical ingenuity took over. A script downloaded and executed AutoHotKey programs, which surreptitiously installed a malicious browser extension called Snowbelt. This extension, nestled within the familiar Chromium environment, became the foothold for a wider breach. To ensure the malware survived system reboots, the attackers set up Windows startup shortcuts and scheduled tasks, making the infection stubbornly persistent.

From this initial compromise, UNC6692’s campaign unfolded with chilling precision. The Snowbelt extension quietly fetched additional payloads-including the Snowglaze tunneling tool and Snowbasin backdoor-from attacker-controlled cloud storage. Snowglaze established an encrypted tunnel, allowing the attackers to move laterally within the network and escalate their privileges. Using tools like PsExec and Remote Desktop Protocol, they harvested administrator credentials, dumped sensitive memory from backup servers, and exfiltrated troves of data through anonymized channels.

What sets this campaign apart is its seamless fusion of human manipulation and technical subterfuge. By hosting malware on trusted platforms like AWS, UNC6692’s operators sidestepped traditional defenses, blending into legitimate cloud traffic and exploiting the weakest link: the human element. The modular ‘Snow’ framework-Snowbelt, Snowglaze, Snowbasin-enabled a coordinated, adaptable attack pipeline, capable of navigating from browser-based entry points to the heart of organizational networks.

As cybercriminals increasingly combine psychological tricks with advanced malware, the line between social engineering and technical compromise blurs. The UNC6692 campaign is a stark reminder: even the best technology can be undone by a moment of misplaced trust. In the cat-and-mouse game of modern cybersecurity, vigilance and skepticism remain the first-and sometimes last-line of defense.

WIKICROOK

• Email Bombing: Email bombing is a cyberattack where attackers flood an inbox with excessive emails, overwhelming the user and disrupting normal email operations.
• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
• Browser Extension: A browser extension is a small add-on that enhances browser features but can also be misused by hackers to steal data or spy on users.
• Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.
• Lateral Movement: Lateral movement is when attackers, after breaching a network, move sideways to access more systems or sensitive data, expanding their control and reach.