Introduction
In late December 2025, Google Threat Intelligence Group (GTIG) uncovered a sophisticated multi-stage intrusion campaign by a newly tracked threat actor, UNC6692. This group leveraged persistent social engineering, a custom modular malware suite, and deft internal pivoting to achieve deep network penetration. The attack stands out for its evolution in tactics—blending impersonation of IT helpdesk staff, abuse of trusted collaboration tools, and deployment of a malicious browser extension. Below, we break down the seven critical steps that defined this campaign, revealing how each phase contributed to the breach.
1. Initial Email Overload to Create Distraction
UNC6692 began by flooding the target’s inbox with a massive volume of emails. This wasn't a random spam blast but a carefully orchestrated campaign designed to overwhelm and create a sense of urgency. The victim, likely already managing a heavy workload, encountered a flood of messages that made it difficult to distinguish legitimate communications. This distraction served a dual purpose: it primed the victim to accept help from anyone offering to resolve the chaos, and it masked the attacker’s follow‑up phishing attempt. The sheer scale of the email campaign also increased the likelihood that the victim would overlook security warnings or anomalous requests. Understanding this initial step is crucial because it highlights how attackers use psychological pressure before any malware is deployed.
2. Helpdesk Impersonation via Microsoft Teams
After the email barrage, the attacker sent a phishing message through Microsoft Teams, posing as IT helpdesk personnel. The message offered assistance with the email volume, exploiting the victim’s trust in both the helpdesk role and the familiar Teams interface. Crucially, the attacker initiated the chat from an account outside the victim’s organization—a red flag that the victim overlooked amid the distraction. The tone was crafted to appear helpful and urgent, typical of social engineering tactics. This step exemplifies how UNC6692 weaponized a legitimate collaboration platform to bypass email‑based phishing filters. The conversation then transitioned to a request that the victim click a link to install a “local patch” to stop the spamming. No malware had been delivered yet; the attacker relied solely on persuasion.
3. The Deceptive Link to a Fake Update
Clicking the link in the Teams message led the victim to an HTML page hosted on an Amazon Web Services S3 bucket: service‑page‑25144‑30466‑outlook.s3.us‑west‑2.amazonaws.com/update.html. The page masqueraded as a Microsoft Spam Filter Update, displaying instructions to “Install the local patch to protect your account from email spamming.” In reality, it triggered the download of two files: a renamed AutoHotKey binary and an AutoHotkey script, both bearing the same name. The attacker cleverly configured the S3 bucket to serve these files without authentication, making the download appear routine. This step shows the technical execution of the social engineering: a credible‑looking update page that delivered the initial malware payload. The use of a legitimate cloud service (AWS) made the URL less suspicious to security tools.
4. AutoHotKey Abuse for Payload Execution
AutoHotKey (AHK) is a legitimate scripting language for Windows automation, but UNC6692 repurposed it for malicious execution. The downloaded binary and script shared the same filename—a key detail. When AutoHotKey runs, if a script file with the same name exists in the current directory, it automatically executes that script without any extra command‑line arguments. This allowed the attacker to silently run the script immediately after download. Evidence of AHK execution was recorded shortly after the download, triggering initial reconnaissance commands and the installation of the custom malware. Although Mandiant could not recover the initial script, its effects were clear: it launched a series of actions leading to deeper compromise. This technique enables attackers to bypass application whitelisting and user‑initiated execution, as AHK is a trusted signed binary.
5. Installation of the SNOWBELT Browser Extension
One of the script’s primary actions was to install a malicious Chromium browser extension named SNOWBELT. This extension was not distributed through the Chrome Web Store, making it harder to detect. SNOWBELT ran in headless Microsoft Edge mode, using a custom user‑data directory to avoid leaving traces in the normal browser profile. The extension gave the attacker persistent access to browser sessions, enabling data exfiltration, credential theft, and man‑in‑the‑browser attacks. Because it operated in headless mode, it consumed minimal system resources and evaded casual inspection. The extension’s capabilities were part of a broader custom malware suite that UNC6692 deployed, demonstrating a modular approach to post‑exploitation. SNOWBELT turned the browser into a stealthy command‑and‑control channel.
6. Persistence Through Startup and Scheduled Tasks
To ensure SNOWBELT and the underlying AHK script persisted across reboots, UNC6692 used a dual‑persistence mechanism. First, a shortcut to the AutoHotKey script was added to the Windows Startup folder, so it ran whenever the user logged in. Second, a Scheduled Task was created that checked whether the headless Edge process (running SNOWBELT) was active. The AutoHotKey script contained logic to verify if the task existed and if the headless Edge session was running; if not, it relaunched everything. This double‑layered persistence increased resilience: even if one method was removed, the other could restore functionality. The script used COM objects to interact with the Task Scheduler service, demonstrating technical sophistication. Attackers often rely on multiple persistence mechanisms to maintain access, and UNC6692 followed that playbook effectively.
7. Deep Network Pivoting and Impact
With an initial foothold and persistent access through SNOWBELT, UNC6692 pivoted deeper into the victim’s network. The malware suite included modules for lateral movement, credential harvesting, and data exfiltration. The attacker exploited trust relationships and misconfigured permissions to move from the workstation to servers and domain controllers. The campaign’s final goal appeared to be intelligence gathering—likely targeting sensitive corporate or government data. The use of a browser extension allowed the attacker to hijack authenticated web sessions, bypassing multifactor authentication in some cases. This deep penetration underscores the danger of social engineering combined with custom malware. The impact extended beyond data loss; it also compromised the victim’s trust in internal communications and helpdesk procedures.
Conclusion
The UNC6692 campaign illustrates a dangerous evolution in social engineering: attackers now combine psychological manipulation with technical precision. From the initial email flood to the deployment of a custom browser extension, each step was designed to exploit human trust and system weaknesses. Understanding these seven steps helps defenders recognize red flags—unsolicited Teams messages from external accounts, unexpected update pages from cloud storage, and unusual AutoHotKey executions. Organizations should train employees to verify helpdesk contacts through alternate channels, restrict AutoHotKey usage, and monitor for headless browser instances. The threat group may have been newly tracked, but their tactics are a stark reminder that attackers continuously refine their methods. Staying ahead requires not only technical defenses but also a culture of skepticism toward seemingly helpful requests.