Introduction
In late December 2025, Google Threat Intelligence Group (GTIG) uncovered a sophisticated multi-stage intrusion campaign orchestrated by a newly tracked threat actor, UNC6692. This operation combined persistent social engineering, a custom modular malware suite, and shrewd lateral movement within the victim’s network to establish deep, persistent access. Notably, UNC6692 relied on impersonating IT helpdesk staff, tricking the target into accepting a Microsoft Teams chat invitation from an external account. The campaign represents a notable evolution in tactics—specifically the use of social engineering, bespoke malware, and a malicious browser extension that exploits the victim’s trust in well-known enterprise software providers.
Threat Details
UNC6692’s attack began with a large-scale email campaign designed to flood the target’s inbox, creating a sense of urgency and distraction. Shortly afterwards, the attacker sent a phishing message via Microsoft Teams, pretending to be helpdesk personnel offering assistance with the excessive email volume. This two-pronged approach increased the likelihood of the victim complying with further instructions.
Infection Chain
Initial Contact and Lure
The victim was contacted through Microsoft Teams and urged to click a link to install a local patch that would supposedly prevent email spamming. Upon clicking, the user’s browser opened an HTML page hosted on a threat actor-controlled AWS S3 bucket (service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com). The page displayed the description “Microsoft Spam Filter Updates | Install the local patch to protect your account from email spamming.”
Download and Execution
The HTML page triggered the download of a renamed AutoHotKey binary and an AutoHotKey script (both sharing the same name). Because AutoHotKey automatically executes a script file with the same name as its binary in the current directory, no additional command-line arguments were needed. Evidence of AutoHotKey execution appeared immediately after the download, leading to initial reconnaissance commands and the installation of SNOWBELT, a malicious Chromium browser extension not distributed through the Chrome Web Store. Mandiant analysts were unable to recover the initial AutoHotKey script.
Persistence Mechanisms
UNC6692 ensured SNOWBELT persisted in multiple ways. First, a shortcut to the AutoHotKey script was placed in the Windows Startup folder, verifying the extension’s presence. Additionally, the script created a Scheduled Task that checked for SNOWBELT and re-launched it if needed. The AutoHotKey script included logic to search for an existing task in the Task Scheduler library and, if found, run a headless Microsoft Edge session with the extension loaded:
if !CheckHeadlessEdge(){
try{
taskService:=ComObject("Schedule.Service")
taskService.Connect()
rootFolder:=taskService.GetFolder("\")
if FindAndRunTask(rootFolder){
Sleep 10000
if CheckHeadlessEdge(){
ExitApp
}
}
}
Run 'cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft'
}This command launched Edge in headless mode with the SNOWBELT extension, enabling covert data exfiltration and command execution without visible browser windows.
Conclusion
The UNC6692 campaign highlights how threat actors continue to refine social engineering techniques, blending them with custom malware and legitimate tools like AutoHotKey and browser extensions. By impersonating enterprise IT support and leveraging multiple persistence methods, UNC6692 achieved deep network penetration. Organizations should reinforce security awareness training, especially around unsolicited Teams invitations and fake patch installations, and monitor for unusual usage of AutoHotKey and scheduled tasks.