In late December 2025, the Google Threat Intelligence Group (GTIG) uncovered a sophisticated multi-stage intrusion campaign by a newly tracked threat group, UNC6692. This group combined persistent social engineering, a custom modular malware suite, and clever lateral movement to deeply penetrate a victim’s network. The campaign highlighted an evolution in attack methods, with UNC6692 impersonating IT helpdesk staff through Microsoft Teams, leveraging a malicious browser extension, and exploiting trust in enterprise software. Below, we break down the key aspects of this campaign through a series of questions and detailed answers.
What is UNC6692 and what methods did they use?
UNC6692 is a newly identified threat group that conducted a highly coordinated intrusion campaign in late 2025. The group primarily relied on social engineering—specifically impersonating IT helpdesk employees via Microsoft Teams—to trick a victim into downloading a custom malware suite. Their methods included a large email campaign designed to overwhelm the target, followed by a phishing message on Teams offering help. The attack leveraged a custom modular malware suite, including the SNOWBELT malicious Chromium browser extension, and used AutoHotKey scripts for initial execution and persistence. UNC6692 demonstrated a keen ability to pivot within the victim’s environment, exploiting inherent trust in enterprise software providers.
How did UNC6692 initiate the social engineering attack?
The attack began with a large email campaign sent to the victim in late December 2025. The emails were designed to create a sense of urgency and distraction, flooding the victim’s inbox. Shortly after, the attacker contacted the victim via Microsoft Teams, posing as an IT helpdesk employee offering assistance with the email volume. The victim was convinced to accept a Teams chat invitation from an account outside their organization. This impersonation played on the victim’s trust in the helpdesk and the urgency of the email problem. The attacker then prompted the victim to click a link to install a local patch supposedly to prevent email spamming, which initiated the infection chain.
What was the infection chain involving AutoHotKey?
Once the victim clicked the link in the Microsoft Teams message, their browser opened an HTML page hosted on a threat actor-controlled AWS S3 bucket. The HTML page automatically downloaded two files: a renamed AutoHotKey binary and an AutoHotKey script, both sharing the same name. AutoHotKey is a legitimate automation tool, but here it was repurposed for malicious intent. When the binary is named identically to a script file in the same directory, AutoHotKey executes the script without additional commands. Evidence showed AutoHotKey ran immediately after the downloads, executing initial reconnaissance commands and installing the SNOWBELT Chrome extension. Mandiant was unable to recover the initial script, but its effects were clear.
What is SNOWBELT and how was it installed?
SNOWBELT is a malicious Chromium browser extension created by UNC6692. It was not distributed through the Chrome Web Store, but instead sideloaded directly onto the victim’s system via the AutoHotKey script. The extension likely granted the attackers capabilities such as credential theft, session hijacking, or data exfiltration through the browser. The installation was part of the initial AutoHotKey execution, and its presence was established shortly after the downloads. The extension was designed to operate covertly, leveraging the victim’s trust in their browser to monitor or manipulate web activity.
How did SNOWBELT maintain persistence?
SNOWBELT was made persistent through multiple mechanisms. First, a shortcut to an AutoHotKey script was added to the Windows Startup folder, ensuring the script ran each time the user logged in. This script checked if the SNOWBELT extension was still active and if the necessary Scheduled Task existed. If the extension or task was missing, the startup script would recreate them. The AutoHotKey script specifically looked for a scheduled task under the root folder and, if missing, would launch a headless Microsoft Edge browser with the SNOWBELT extension loaded from a local user data directory. This redundancy made removal difficult.
What role did the malicious browser extension play?
The malicious browser extension, SNOWBELT, acted as the primary tool for ongoing access and data collection. By running within the Chromium browser (in this case, Microsoft Edge), it could intercept or modify web traffic, steal credentials, and exfiltrate sensitive information. The extension likely leveraged the victim's active sessions to bypass multi-factor authentication or to perform actions on their behalf. Its use of a legitimate browser environment helped it evade detection by security tools that monitor for traditional malware. The extension’s headless operation made it even more stealthy, as it could run without a visible browser window.
How did UNC6692 exploit trust in enterprise software?
UNC6692 carefully selected Microsoft Teams and Microsoft Outlook as their attack vectors, exploiting the trust users place in these enterprise tools. By impersonating IT helpdesk staff, they leveraged the victim's expectation that such assistance would come through official channels. The use of a Microsoft Spam Filter Updates patch download page (hosted on AWS S3) mimicked legitimate update processes. Additionally, the malware suite included a browser extension that appeared benign while running within a trusted browser. This layered exploitation of trust made the attack highly effective, as the victim had no reason to doubt the legitimacy of the requests until it was too late.
What are the key takeaways from this campaign?
The UNC6692 campaign underscores the growing sophistication of social engineering attacks. Key takeaways include: 1) Impersonation of IT helpdesk via collaboration tools like Teams is an effective initial vector. 2) Custom malware suites, such as those using AutoHotKey and browser extensions, can be deployed with minimal user interaction. 3) Attackers are increasingly using living-off-the-land techniques (e.g., AutoHotKey) and sideloaded extensions to evade detection. 4) Organizations must train employees to verify helpdesk requests through secondary channels, even when they appear urgent. 5) Security teams should monitor for unusual AutoHotKey executions, headless browser instances, and unexpected scheduled tasks. This campaign serves as a reminder that trust, when weaponized, can be the most dangerous vulnerability.