{ "Event": { "analysis": "1", "date": "2026-04-24", "extends_uuid": "", "info": "[Threat Intel] Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite", "protected": false, "publish_timestamp": "1779545598", "published": true, "threat_level_id": "2", "timestamp": "1779545597", "uuid": "c17efb34-3c66-4669-948c-e14734de402d", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#6e57da", "local": false, "name": "misp-galaxy:producer=\"Mandiant\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#8efd0f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Account Manager - T1003.002\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#657ac3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Protocol Tunneling - T1572\"", "relationship_type": "" }, { "colour": "#07ff3c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration to Cloud Storage - T1567.002\"", "relationship_type": "" }, { "colour": "#7d37d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#50bd28", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"", "relationship_type": "" }, { "colour": "#1ef2bb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Pass the Hash - T1550.002\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#b9e5c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"NTDS - T1003.003\"", "relationship_type": "" }, { "colour": "#5884a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Link - T1204.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#fdd85e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Access Token Manipulation - T1134\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive Collected Data - T1560\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive via Utility - T1560.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"AutoHotKey & AutoIT - T1059.010\"", "relationship_type": "" }, { "colour": "#cfba47", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Browser Extensions - T1176.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command Obfuscation - T1027.010\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compression - T1027.015\"", "relationship_type": "" }, { "colour": "#9c8729", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#aa1f95", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Staged - T1074\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Debugger Evasion - T1622\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#6d779a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Privilege Escalation - T1068\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#44b2c2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indirect Command Execution - T1202\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#52486a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inter-Process Communication - T1559\"", "relationship_type": "" }, { "colour": "#76434a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Link Target - T1608.005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Account - T1087.001\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Password Guessing - T1110.001\"", "relationship_type": "" }, { "colour": "#6ef296", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Password Spraying - T1110.003\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#3970d7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#b672a4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "relationship_type": "" }, { "colour": "#fae37b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"", "relationship_type": "" }, { "colour": "#b2a633", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\"", "relationship_type": "" }, { "colour": "#82a529", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Shortcut Modification - T1547.009\"", "relationship_type": "" }, { "colour": "#50bcaa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Discovery - T1518\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Service Discovery - T1007\"", "relationship_type": "" }, { "colour": "#44e07f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Token Impersonation/Theft - T1134.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Upload Tool - T1608.002\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777028418", "to_ids": false, "type": "link", "uuid": "148da896-8c6c-490a-9a50-48d9124c3197", "value": "https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777028418", "to_ids": false, "type": "text", "uuid": "180ab6cd-afc1-4e3d-8f8c-5be9f64bb7bf", "value": "Google Threat Intelligence Group identified a sophisticated intrusion campaign by UNC6692 that combined persistent social engineering with custom malware. The attackers impersonated IT helpdesk personnel via Microsoft Teams, leveraging initial email spam campaigns to create urgency. Victims were tricked into downloading AutoHotKey scripts that installed SNOWBELT, a malicious browser extension establishing persistence through scheduled tasks. The modular SNOW ecosystem enabled deep network penetration: SNOWBELT provided initial access, SNOWGLAZE created encrypted WebSocket tunnels masking traffic as legitimate cloud communications, and SNOWBASIN functioned as a local backdoor for command execution. UNC6692 performed internal reconnaissance, escalated privileges by extracting LSASS memory, and used Pass-The-Hash techniques to access domain controllers. The operation culminated in exfiltration of Active Directory databases and credentials via LimeWire, demonstrating advanced tradecraft abusing legitimate clou..." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777028418", "to_ids": false, "type": "text", "uuid": "696163d1-241d-4b0d-a3e8-938d75fd64d6", "value": "Name: Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite\nAuthor: AlienVault\nAdversary: UNC6692\nTags: [\"social engineering\", \"cloud infrastructure abuse\", \"browser extension\", \"snowbelt\", \"microsoft teams phishing\", \"brickstorm\", \"snowglaze\", \"snowbasin\"]\nTgtd countries: []\nMlwr families: [\"SNOWBELT\", \"SNOWGLAZE\", \"SNOWBASIN\", \"BRICKSTORM\"]\nAttack_ids: [\"T1053.005\", \"T1113\", \"T1059.007\", \"T1003.002\", \"T1204.002\", \"T1566.002\", \"T1572\", \"T1003.001\", \"T1090\", \"T1059.001\", \"T1547.001\", \"T1567.002\", \"T1059.006\", \"T1059.003\", \"T1071.001\", \"T1046\", \"T1550.002\", \"T1021.001\", \"T1003.003\", \"T1204.001\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1777028418", "to_ids": false, "type": "threat-actor", "uuid": "6e915a0f-3e1f-447d-b067-bee6dd2738c0", "value": "UNC6692" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545583", "to_ids": true, "type": "sha256", "uuid": "4264fe80-340c-485a-ad23-2104a2a3e77a", "value": "2fa987b9ed6ec6d09c7451abd994249dfaba1c5a7da1c22b8407c461e62f7e49", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545584", "to_ids": true, "type": "sha256", "uuid": "5311e60d-b217-4e61-881e-ea27fa0824c0", "value": "691f7258f212fa8908a8bf06bcf9e027d2177276e13e10ff56bd434ff3755cc4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545586", "to_ids": true, "type": "sha256", "uuid": "c5366563-92c6-4c51-a924-0b60901f73e1", "value": "6e6dab993f99505646051d2772701e3c4740096ff9be63c92713bcb7fcddf9f7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545588", "to_ids": true, "type": "sha256", "uuid": "a938ee15-43a7-49f2-8d02-c88047f866fa", "value": "7f1d71e1e079f3244a69205588d504ed830d4c473747bb1b5c520634cc5a2477", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545590", "to_ids": true, "type": "sha256", "uuid": "773c30d5-62b6-4749-92b4-8e981da6d614", "value": "ca390b86793922555c84abc3b34406da2899382c617f9dcf83a74ac09dd18190", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545592", "to_ids": true, "type": "sha256", "uuid": "de0079c7-f9dd-4cb5-a862-9f056787696b", "value": "de200b79ad2bd9db37baeba5e4d183498d450494c71c8929433681e848c3807f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545593", "to_ids": true, "type": "sha1", "uuid": "3116d111-4a5c-4f9b-9ff3-808a2a8915bc", "value": "726c48860d8d840044dccb3919b773d502a1e60d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545595", "to_ids": true, "type": "sha1", "uuid": "07e01cc5-cc5b-4136-9f0f-7ef9fd6dae48", "value": "9c685523fce5e6ad6d6ee4fa02693cefc8c6e102", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545597", "to_ids": true, "type": "sha1", "uuid": "c6099887-88bc-49db-b9f6-36622e6df5ac", "value": "d83494bd8a7f816ce39576c776e67c2e9f568080", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Artifacts dropped", "comment": "IOC-content:rule G_Tunneler_SNOWGLAZE_1 {\n meta:\n author = \"Google Threat Intelligence Group (GTIG)\"\n platforms = \"Windows, Linux\"\n\n strings:\n $r1 = /\\.connect\\(\\s{0,25}WS_PROXY_URL/\n $r2 = /\"data\":\\s{0,1}base64\\.b64encode\\(\\w{1,10}\\)\\.decode\\('ascii'\\)/\n $r3 = /\"type\":\\s{0,1}\"socks_data\"/\n $r4 = /await\\s{0,1}reader\\.read\\(\\d{2,4}\\)/\n $r5 = /\"login\":\\s{0,1}AGENT_LOGIN/\n $r6 = /\"password\":\\s{0,1}AGENT_PASSWORD/\n $r7 = /\"uuid\":\\s{0,1}AGENT_UUID/\n \n $s1 = \".socks_tcp_to_ws\"\n\n condition:\n 5 of ($r*)\n and $s1\n}\nIOC-title:G_Tunneler_SNOWGLAZE_1", "deleted": false, "disable_correlation": false, "timestamp": "1777028418", "to_ids": true, "type": "yara", "uuid": "b349309b-67a3-4761-8fa7-a19862466734", "value": "d83494bd8a7f816ce39576c776e67c2e9f568080" }, { "category": "Artifacts dropped", "comment": "IOC-content:rule G_Backdoor_SNOWBELT_1 {\n meta:\n author = \"Google Threat Intelligence Group (GTIG)\"\n platform = \"Windows\"\n \n\tstrings:\n\t\t$str1 = \".importKey(\\\"raw\\\",keyMaterial,\\\"AES-GCM\\\",!1,[\\\"decrypt\\\"])\"\n\t\t$str2 = \".importKey(\\\"raw\\\",keyMaterial,\\\"AES-GCM\\\",!1,[\\\"encrypt\\\"])\"\n\t\t$str3 = \"sendJsonDataToS3\"\n\t\t$str4 = \"processCommand\"\n\t\t$str5 = \"\\\"screenshot\\\"===cmdType\"\n\t\t$str6 = \"\\\"payload\\\"===cmdType\"\n\t\t$str7 = \"\\\"websocket_control\\\"===cmdType\"\n\t\t$str8 = \"\\\"open_uri\\\"===cmdType\"\n\t\t$str9 = \"\\\"delete_cache\\\"===cmdType\"\n\t\t$str10 = \"\\\"payload_download_complete\\\"\"\n\t\t$str11 = \".s3.us-east-2.amazonaws.com/\"\n\tcondition:\n\t\tall of them\n \n}\nIOC-title:G_Backdoor_SNOWBELT_1", "deleted": false, "disable_correlation": false, "timestamp": "1777028418", "to_ids": true, "type": "yara", "uuid": "35871773-856a-41dd-936a-d3f8fe042ac8", "value": "726c48860d8d840044dccb3919b773d502a1e60d" }, { "category": "Artifacts dropped", "comment": "IOC-content:rule G_Backdoor_SNOWBASIN_1 {\n meta:\n author = \"Google Threat Intelligence Group (GTIG)\"\n platform = \"Windows\"\n\n strings:\n $path1 = \"self.path == '/probe':\"\n $path2 = \"self.path == '/stream':\"\n $path3 = \"self.path == '/buffer':\"\n $path4 = \"self.path == '/flush':\"\n $path5 = \"self.path == '/commit':\"\n $path6 = \"self.path == '/capture':\"\n $path7 = \"self.path == '/gc':\"\n\n $func1 = \"self.handle_stream(\"\n $func2 = \"self.handle_buffer(\"\n $func3 = \"self.handle_flush(\"\n $func4 = \"self.handle_commit(\"\n\n $s1 = \"self.wfile.write(info_msg\"\n $s2 = \"selected_port), WebServerHandler) as httpd:\"\n $s3 = \"ThreadedTCPServer(socketserver.ThreadingMixIn\"\n $s4 = \"httpd.serve_forever()\"\n\n\n condition:\n filesize<1MB and (\n (all of ($s*) and 6 of ($path*, $func*)) or\n (8 of ($path*, $func*)) or\n 10 of them\n )\n}\nIOC-title:G_Backdoor_SNOWBASIN_1", "deleted": false, "disable_correlation": false, "timestamp": "1777028418", "to_ids": true, "type": "yara", "uuid": "13807316-8f9c-4536-9eba-1367d728c54a", "value": "9c685523fce5e6ad6d6ee4fa02693cefc8c6e102" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612526", "to_ids": true, "type": "hostname", "uuid": "b399f26e-c140-4430-acc5-7d1fcbfbfc24", "value": "service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612547", "to_ids": true, "type": "hostname", "uuid": "21b181bc-4a4e-47b0-afe8-ed2ec80869bb", "value": "cloudfront-021.s3.us-west-2.amazonaws.com", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612568", "to_ids": true, "type": "url", "uuid": "1bd5591b-6408-4b8c-aaeb-a7b6521d2b97", "value": "wss://sad4w7h913-b4a57f9c36eb.herokuapp.com/ws", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612589", "to_ids": true, "type": "hostname", "uuid": "52df7abf-13be-4119-a6f7-f15e5d5a6797", "value": "service-page-11369-28315-outlook.s3.us-west-2.amazonaws.com", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1777606708", "uuid": "8d59ff04-0ad2-47dc-b814-9f123756b32e", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1777606708", "to_ids": false, "type": "text", "uuid": "33af2284-fbe1-49c4-92ae-7dde8470a1da", "value": "G_Tunneler_SNOWGLAZE_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1777606708", "to_ids": false, "type": "comment", "uuid": "f18c92e7-62a0-4fb0-92bf-79a66013d919", "value": "G_Tunneler_SNOWGLAZE_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1777606708", "to_ids": true, "type": "yara", "uuid": "cda25064-1eb8-4384-8450-3ca5f5b25663", "value": "rule G_Tunneler_SNOWGLAZE_1 {\r\n meta:\r\n author = \"Google Threat Intelligence Group (GTIG)\"\r\n platforms = \"Windows, Linux\"\r\n\r\n strings:\r\n $r1 = /\\.connect\\(\\s{0,25}WS_PROXY_URL/\r\n $r2 = /\"data\":\\s{0,1}base64\\.b64encode\\(\\w{1,10}\\)\\.decode\\('ascii'\\)/\r\n $r3 = /\"type\":\\s{0,1}\"socks_data\"/\r\n $r4 = /await\\s{0,1}reader\\.read\\(\\d{2,4}\\)/\r\n $r5 = /\"login\":\\s{0,1}AGENT_LOGIN/\r\n $r6 = /\"password\":\\s{0,1}AGENT_PASSWORD/\r\n $r7 = /\"uuid\":\\s{0,1}AGENT_UUID/\r\n \r\n $s1 = \".socks_tcp_to_ws\"\r\n\r\n condition:\r\n 5 of ($r*)\r\n and $s1\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1777606729", "uuid": "bf188de6-1e10-4ced-a777-70148f750633", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1777606729", "to_ids": false, "type": "text", "uuid": "7a1e7253-6d4e-49f5-b7b0-1817502e09d8", "value": "G_Backdoor_SNOWBELT_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1777606729", "to_ids": false, "type": "comment", "uuid": "78adc593-1f3d-402e-bd09-c390e74f8fe9", "value": "G_Backdoor_SNOWBELT_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1777606729", "to_ids": true, "type": "yara", "uuid": "652b7a5d-2bc2-4159-be5b-71b20836fe89", "value": "rule G_Backdoor_SNOWBELT_1 {\r\n meta:\r\n author = \"Google Threat Intelligence Group (GTIG)\"\r\n platform = \"Windows\"\r\n \r\n\tstrings:\r\n\t\t$str1 = \".importKey(\\\"raw\\\",keyMaterial,\\\"AES-GCM\\\",!1,[\\\"decrypt\\\"])\"\r\n\t\t$str2 = \".importKey(\\\"raw\\\",keyMaterial,\\\"AES-GCM\\\",!1,[\\\"encrypt\\\"])\"\r\n\t\t$str3 = \"sendJsonDataToS3\"\r\n\t\t$str4 = \"processCommand\"\r\n\t\t$str5 = \"\\\"screenshot\\\"===cmdType\"\r\n\t\t$str6 = \"\\\"payload\\\"===cmdType\"\r\n\t\t$str7 = \"\\\"websocket_control\\\"===cmdType\"\r\n\t\t$str8 = \"\\\"open_uri\\\"===cmdType\"\r\n\t\t$str9 = \"\\\"delete_cache\\\"===cmdType\"\r\n\t\t$str10 = \"\\\"payload_download_complete\\\"\"\r\n\t\t$str11 = \".s3.us-east-2.amazonaws.com/\"\r\n\tcondition:\r\n\t\tall of them\r\n \r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1777606745", "uuid": "acc66883-4e1b-458a-85c0-a23b38133609", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1777606745", "to_ids": false, "type": "text", "uuid": "5b220b57-7aa6-488b-b57c-848660587807", "value": "G_Backdoor_SNOWBASIN_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1777606745", "to_ids": false, "type": "comment", "uuid": "27a08485-1105-4c0f-9eb0-68ab7080db9d", "value": "G_Backdoor_SNOWBASIN_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1777606745", "to_ids": true, "type": "yara", "uuid": "a09fc8e5-4b89-4254-a12e-244860a8811f", "value": "rule G_Backdoor_SNOWBASIN_1 {\r\n meta:\r\n author = \"Google Threat Intelligence Group (GTIG)\"\r\n platform = \"Windows\"\r\n\r\n strings:\r\n $path1 = \"self.path == '/probe':\"\r\n $path2 = \"self.path == '/stream':\"\r\n $path3 = \"self.path == '/buffer':\"\r\n $path4 = \"self.path == '/flush':\"\r\n $path5 = \"self.path == '/commit':\"\r\n $path6 = \"self.path == '/capture':\"\r\n $path7 = \"self.path == '/gc':\"\r\n\r\n $func1 = \"self.handle_stream(\"\r\n $func2 = \"self.handle_buffer(\"\r\n $func3 = \"self.handle_flush(\"\r\n $func4 = \"self.handle_commit(\"\r\n\r\n $s1 = \"self.wfile.write(info_msg\"\r\n $s2 = \"selected_port), WebServerHandler) as httpd:\"\r\n $s3 = \"ThreadedTCPServer(socketserver.ThreadingMixIn\"\r\n $s4 = \"httpd.serve_forever()\"\r\n\r\n\r\n condition:\r\n filesize<1MB and (\r\n (all of ($s*) and 6 of ($path*, $func*)) or\r\n (8 of ($path*, $func*)) or\r\n 10 of them\r\n )\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545581", "uuid": "1e4ce4f0-7006-48e3-8de9-123407cd6b7d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545580", "to_ids": true, "type": "md5", "uuid": "0e0b0bff-9bfc-4c5e-9c55-a4fc5b37b9f2", "value": "ea3590ecf7f83f8cd5e2773f11ac1131", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545580", "to_ids": true, "type": "sha1", "uuid": "b4e46280-90c6-462b-bc7f-54b01c87b68c", "value": "d351da4bd2bdee4f50b145fd275b7cbed74f67b3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545581", "to_ids": true, "type": "sha256", "uuid": "6f5bc2e2-2ea8-49e8-86b0-c368b743808c", "value": "c8940de8cb917abe158a826a1d08f1083af517351d01642e6c7f324d0bba1eb8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777609561", "to_ids": true, "type": "ssdeep", "uuid": "99083faa-e6e6-446c-8f5d-024c2d16e21c", "value": "192:HxLi49lj4R0nlrSnUrAire9zAoUirqM9Gdpy07AlUrgDrkDrzi7MY07mY071Drw6:HxEbzRcMyaU2Z7ZZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777609561", "to_ids": false, "type": "size-in-bytes", "uuid": "f69b7c69-2617-4620-920a-56db75964ec9", "value": "15495" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777609561", "to_ids": true, "type": "filename", "uuid": "2f2dddf1-9df9-4953-9a74-ac48cd7e6e57", "value": "log-ws" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777609561", "to_ids": false, "type": "text", "uuid": "c95c8637-3bc7-46f4-8d6e-2499cae75e69", "value": "Type Description: Python\nMicrosoft: None\nVT Total Detection:18/64\nFirst Submission:2026-04-23T03:10:15.000000+00:00\nLast Submission:2026-04-23T03:10:15.000000+00:00" } ] } ] } }