Google's Threat Intelligence Group and Mandiant have exposed a new financially motivated hacker group called UNC6692, which blends social engineering, custom malware, and AWS S3 buckets to steal credentials.
The group starts by flooding a target's inbox with spam, then impersonates IT help desk staff over Microsoft Teams, tricking victims into clicking a phishing link that silently installs malware — including a rogue browser extension, a Python backdoor, and a persistent remote access tool.
From there, attackers scan internal networks, hijack admin accounts, and dump Windows credential stores. Using legitimate cloud infrastructure lets them slip past traditional security filters undetected.
Source: Dark Reading