UNC6692 hackers impersonate IT helpdesk via Microsoft Teams to trick employees into granting access and deploying malware.
April 2026 – Cybersecurity researchers have identified a new threat group tracked as UNC6692, which is carrying out targeted social engineering attacks by impersonating IT helpdesk personnel through Microsoft Teams.
The campaign uses fake IT support identities to contact employees directly inside enterprise environments. Attackers initiate conversations through Teams, convincing victims that they are legitimate technical support staff responding to system issues or security alerts.
Once trust is established, victims are manipulated into granting access, approving remote support sessions, or executing actions that allow the attackers to move deeper into corporate networks.
UNC6692 combines multiple techniques, including:
- IT helpdesk impersonation via Microsoft Teams chat
- Targeted phishing campaigns alongside mass email “noise” attacks
- Social engineering to bypass identity verification controls
- Deployment of custom malware after initial access
- Use of legitimate enterprise tools to maintain stealth and persistence
Researchers report that the group relies heavily on abusing trusted collaboration platforms rather than traditional malware delivery methods. By operating inside tools employees already use daily, the attackers make their approach significantly more convincing and harder to detect.
Once access is obtained, UNC6692 deploys a modular malware framework designed to maintain persistence, escalate privileges, and enable internal network movement. The attackers also use browser-based persistence mechanisms, such as malicious extensions, to retain long-term access.
The attacks allow UNC6692 to:
- Gain unauthorized access to internal systems
- Move laterally across enterprise networks
- Steal credentials and sensitive data
- Maintain persistent access using legitimate tools
Security analysts warn that the abuse of collaboration platforms like Microsoft Teams represents a growing trend in modern enterprise-focused cyberattacks, where attackers prioritize human trust exploitation over technical exploitation.
Related articles :
- Microsoft Warns of WhatsApp-Delivered Malware Attack
- First Malicious Outlook Add-In Steals 4,000+ Credentials
- China-Linked APT31 Launches Stealthy Cyberattacks on Russian IT Using Cloud Services
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
