Decoding UNC6692: How Social Engineering and Custom Malware Penetrated Enterprise Networks
In late December 2025, Google Threat Intelligence Group (GTIG) uncovered a sophisticated multi-stage intrusion campaign by a newly tracked threat actor, UNC6692. This group combined persistent social engineering with a custom modular malware suite and clever network pivoting to achieve deep penetration into a corporate environment. Below we break down the attack into key questions and answers, covering everything from the initial contact via Microsoft Teams to the deployment of a malicious browser extension.
1. What is UNC6692 and what made this campaign stand out?
UNC6692 is a previously unknown threat group that executed a multi-phase intrusion campaign in late December 2025. Unlike many cyber attacks that rely solely on phishing emails, UNC6692 demonstrated a notable evolution in tactics. The group heavily leveraged social engineering by impersonating IT helpdesk staff through Microsoft Teams, exploiting the victim's inherent trust in enterprise software providers. They employed a custom modular malware suite, including a malicious Chromium browser extension called SNOWBELT, and used AutoHotKey for initial execution and persistence. The campaign also involved a pre-emptive email flood to create urgency and distraction, making the victim more likely to accept help from the fake IT support. This blend of psychological manipulation, custom tooling, and multi-platform persistence marks a significant step up in sophistication.
2. How did the attackers use social engineering to trick the victim?
The social engineering scheme unfolded in two phases. First, UNC6692 launched a large email campaign that overwhelmed the target's inbox with spam messages, creating a sense of urgency and frustration. Shortly after, the attacker contacted the victim through Microsoft Teams, posing as a helpdesk employee offering assistance with the email deluge. The message included a link to a supposed 'local patch' that would stop the spam. By impersonating a trusted IT support figure within a platform the victim used daily, the attacker lowered suspicion and increased the likelihood of compliance. This approach mirrors recent trends where threat actors abuse collaboration tools, but UNC6692 added the precursor email barrage to heighten the victim's need for help. The entire interaction played on the victim's trust in both the helpdesk role and Microsoft products.
3. What was the infection chain after the victim clicked the link?
Once the victim clicked the link in the Teams message, their browser opened an HTML page that downloaded two files from a threat actor-controlled AWS S3 bucket. The first was a renamed AutoHotKey binary, and the second was an AutoHotKey script sharing the same name. Because AutoHotKey automatically runs a script if the binary and script file share the same name and are in the same directory, no extra command-line arguments were needed. Execution of AutoHotKey then triggered initial reconnaissance commands and installed the SNOWBELT Chrome extension. The extension was loaded locally (not from the Chrome Web Store) and used a headless Edge browser instance for persistence. The attackers used the file host URL "service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html" to masquerade as a legitimate Microsoft update service.
4. What was the SNOWBELT browser extension and how did it function?
SNOWBELT was a malicious Chromium-based browser extension developed by UNC6692. Because it was not distributed through the Chrome Web Store, it had to be loaded manually via developer mode or through a script. The extension likely intercepted browser data, redirected traffic, or maintained access by monitoring user activity. Mandiant was unable to recover the initial AutoHotKey script that installed SNOWBELT, but subsequent analysis of artifacts showed that the extension was launched with a headless Edge process using special command-line flags: --headless=new --load-extension="...". This approach allowed the malware to run invisibly, collecting information or acting as a backdoor without raising alerts. The extension also tied into the persistence mechanism, ensuring it restarted even after system reboots.
5. What persistence mechanisms did UNC6692 use?
UNC6692 established persistence in multiple ways. First, a shortcut to an AutoHotKey script was added to the Windows Startup folder, ensuring the script ran every time the user logged in. This script checked whether SNOWBELT was still active and that a corresponding scheduled task existed. If the extension was missing, the script relaunched it. Second, a scheduled task was created, likely under the "Schedule.Service" COM object, to run the same check on a regular basis. The AutoHotKey script code recovered by researchers shows a function that verifies the task and runs a headless Edge browser if needed. This redundancy made it difficult to remove the malware permanently. The group clearly invested in robust persistence to maintain long-term access to the compromised network.
6. How is UNC6692's approach different from previous social engineering campaigns?
While many threats use IT helpdesk impersonation, UNC6692’s campaign is notable for its multi-step orchestration. They didn't just send a single phishing Teams message; they first saturated the victim with spam to create a believable pretext. They also combined a custom AutoHotKey payload with a browser extension—a rare pairing. The use of AutoHotKey, a legitimate Windows scripting tool, helps evade detection because the binary is trusted. Similarly, loading a Chrome extension outside the Web Store bypasses normal review controls. Furthermore, the attackers hosted their files on AWS S3, using a convincing subdomain that included "outlook" and "service-page" to appear authentic. This blend of psychological manipulation, legitimate tool abuse, and cloud hosting shows an advanced, adaptive threat actor.
7. What can organizations learn from the UNC6692 campaign?
To defend against such attacks, organizations should strengthen IT helpdesk verification procedures—require employees to confirm support requests via a secondary channel. Implement advanced email filtering to detect large-scale spam bursts that may precede social engineering. Restrict installation of browser extensions from outside official stores, and monitor for atypical AutoHotKey executions or headless browser instances. Finally, educate users about the urgency-distraction tactic and encourage them to report unusual Teams messages or support offers. UNC6692 shows that attackers will exploit trust in collaboration tools just as readily as email, so a layered defense combining technology, policy, and training is essential.