Deep Dive into UNC6692's Social Engineering and Custom Malware Attack

In late December 2025, a newly tracked threat group, UNC6692, executed a sophisticated multi-stage intrusion campaign that combined persistent social engineering, a custom modular malware suite, and clever internal pivoting to achieve deep network penetration. This campaign, dubbed "Snow Flurries," highlights an evolution in attacker tactics, particularly the use of IT helpdesk impersonation, a malicious browser extension, and the abuse of legitimate tools like AutoHotKey. Below, we explore key questions about this attack.

1. Who is UNC6692 and what makes their campaign notable?

UNC6692 is a newly tracked threat group identified by Google Threat Intelligence Group (GTIG). Their campaign, observed in late December 2025, stands out due to its combination of persistent social engineering, a custom modular malware suite, and adept internal pivot maneuvers. Unlike many intrusions that rely on one technique, UNC6692 orchestrated a multi-stage attack that began with overwhelming email campaigns to create distraction, then used Microsoft Teams phishing as a helpdesk impersonator, and ultimately deployed a custom malware suite including a malicious Chromium browser extension named SNOWBELT. The group’s ability to leverage inherent trust in enterprise software providers marks a notable evolution in threat actor behavior.

Deep Dive into UNC6692's Social Engineering and Custom Malware Attack — Source: www.mandiant.com

2. What social engineering tactics did UNC6692 use to gain initial access?

UNC6692 heavily relied on impersonating IT helpdesk employees to convince victims to accept Microsoft Teams chat invitations from external accounts. The campaign began with a large email barrage designed to overwhelm the target, creating a sense of urgency and distraction. Then, the attacker sent a phishing message via Microsoft Teams, posing as helpdesk staff offering assistance with the email volume. This dual-pronged approach—first flooding the victim with emails, then offering a seemingly helpful solution—played on the victim’s trust and cognitive load, making them more likely to click the malicious link provided in the Teams message.

3. How did the infection chain unfold after the victim clicked the link?

Once the victim clicked the link in the Microsoft Teams chat, their browser opened an HTML page hosted on a threat actor-controlled AWS S3 bucket (e.g., service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html). This page prompted the download of a renamed AutoHotKey binary and an AutoHotKey script, both sharing the same filename. According to analysis of execution logs, the AutoHotKey binary automatically ran the script (since same-named script in same directory) without extra command-line arguments. This execution triggered initial reconnaissance commands and the installation of SNOWBELT, a custom malicious Chromium browser extension not distributed through the Chrome Web Store.

4. What is SNOWBELT and how was it deployed and persisted?

SNOWBELT is a custom malicious Chromium browser extension developed by UNC6692. It was deployed via the initial AutoHotKey script, which created a shortcut to an AutoHotKey script in the Windows Startup folder. That script verified SNOWBELT was running and that a scheduled task existed. The extension itself was loaded into a headless Microsoft Edge process using the command: cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="..." --headless=new --load-extension="...". Persistence was maintained through both the startup folder entry and the scheduled task, ensuring SNOWBELT would re-launch even after system reboots.

5. What role did AutoHotKey play in the attack?

AutoHotKey (AHK) is a legitimate automation scripting language for Windows. UNC6692 abused it by delivering a renamed AutoHotKey binary alongside a script with the same name. This allowed the binary to automatically execute the script without extra command-line arguments—a documented AHK behavior. The script performed initial reconnaissance, installed SNOWBELT, and set up persistence mechanisms. Mandiant was unable to recover the initial AHK script, but evidence of its execution was recorded immediately after the downloads, including commands that checked for a headless Edge process and created scheduled tasks.

6. How did UNC6692 maintain persistence and evade detection?

Persistence was established through multiple layers. First, a shortcut to an AutoHotKey script was placed in the Windows Startup folder. This script contained logic to check whether SNOWBELT was already running and whether a scheduled task existed. If not, it would create the task and launch the extension. The scheduled task itself was configured to run the same AHK script periodically. This dual persistence made removal more difficult, as deleting one would trigger the other. Additionally, by using a legitimate tool (AHK) and a browser extension not distributed via official stores, the attackers reduced the likelihood of triggering standard security alerts.

7. What trends in threat actor behavior does this campaign highlight?

This campaign demonstrates several evolving trends: (1) increased reliance on social engineering via collaboration tools like Microsoft Teams, (2) abuse of legitimate software such as AutoHotKey to bypass detection, (3) use of custom, non-store browser extensions for persistence and data theft, and (4) multi-stage attacks that create confusion before the main payload. UNC6692 also showcased adept internal pivoting once inside the network, though details on that are limited. These trends suggest defenders must monitor not just email but also messaging platforms, and inspect unusual use of automation tools and browser extensions.

Tags: