Google Threat Intelligence Group identified a sophisticated intrusion campaign by UNC6692 that combined persistent social engineering with custom malware. The attackers impersonated IT helpdesk personnel via Microsoft Teams, leveraging initial email spam campaigns to create urgency. Victims were tricked into downloading AutoHotKey scripts that installed SNOWBELT, a malicious browser extension establishing persistence through scheduled tasks. The modular SNOW ecosystem enabled deep network penetration: SNOWBELT provided initial access, SNOWGLAZE created encrypted WebSocket tunnels masking traffic as legitimate cloud communications, and SNOWBASIN functioned as a local backdoor for command execution. UNC6692 performed internal reconnaissance, escalated privileges by extracting LSASS memory, and used Pass-The-Hash techniques to access domain controllers. The operation culminated in exfiltration of Active Directory databases and credentials via LimeWire, demonstrating advanced tradecraft abusing legitimate clou...