10 Things You Need to Know About UNC6692's Snow Flurries Campaign

In late December 2025, a new threat group tracked as UNC6692 launched a sophisticated multistage intrusion campaign that combined relentless social engineering with custom malware. Dubbed Snow Flurries, the operation leveraged impersonated IT helpdesk calls, a distraction email blitz, and a modular toolset—including a malicious Chromium browser extension—to achieve deep network penetration. Below are the ten critical aspects of this campaign that every security professional should understand.

1. The Setup: A Distraction Email Blitz

UNC6692 began by flooding the target with a large volume of emails. This wasn't random spam; it was a calculated distraction designed to create urgency and overwhelm the victim. By burying the user in messages, the attackers hoped the target would be more likely to accept help from anyone offering a quick fix. The sheer volume also made it harder for the victim to spot the malicious signal amid the noise.

10 Things You Need to Know About UNC6692's Snow Flurries Campaign — Source: www.mandiant.com

2. The Hook: A Trusted Microsoft Teams Request

After the email deluge, the attacker sent a phishing message through Microsoft Teams. They posed as a helpdesk team member, offering assistance with the email overload. Critically, the message came from an account outside the victim's organization, yet the impersonation was convincing enough to be accepted. This social engineering step relied on the inherent trust users place in corporate chat tools and the perceived legitimacy of an IT support role.

3. The Lure: A Fake 'Local Patch' Download

The Teams message prompted the victim to click a link to install a local patch that would supposedly stop the email spamming. When clicked, the browser opened an HTML page hosted on an AWS S3 bucket (s3.us-west-2.amazonaws.com). This page eventually triggered the download of two files: a renamed AutoHotKey binary and an identically named AutoHotKey script.

4. AutoHotKey: The Silent Execution Engine

The renamed AutoHotKey binary was designed to automatically run the script file in the same directory—no command-line arguments needed. This technique evades detection because AutoHotKey is a legitimate tool often used for automation. Execution logs showed the script ran immediately after download, launching initial reconnaissance commands and installing the primary payload: the SNOWBELT Chromium extension.

5. The Payload: SNOWBELT, a Malicious Browser Extension

SNOWBELT is a custom Chromium browser extension, not distributed through the Chrome Web Store. It likely monitored browser activity, captured credentials, and provided persistent access. Because extensions run in the browser context, they can bypass many traditional security controls. Mandiant could not recover the initial AutoHotKey script, but the extension's functionality suggests a focus on data theft and command execution.

6. Persistence Through Startup Folder

To maintain access, UNC6692 added a shortcut to an AutoHotKey script in the Windows Startup folder. This ensured that every time the victim logged in, the script would run and verify that SNOWBELT was active. The script also checked for a scheduled task as a secondary persistence mechanism, making removal more difficult.

7. Persistence via Scheduled Tasks

In addition to the startup folder, a scheduled task was created to launch the AutoHotKey script at system boot. The script contained logic (visible in a decompiled snippet) that searched the Windows Task Scheduler for an existing task and, if found, ran it. This dual persistence approach—startup and scheduled task—gave the attacker redundancy and resilience against cleanup.

8. Headless Edge: Stealthy Command Channel

The AutoHotKey script also executed a headless instance of Microsoft Edge with a custom user data directory and the SNOWBELT extension loaded. Headless browsers run without a visible window, making them harder for users to detect. This headless Edge session likely served as a covert channel for command and control (C2) communication, allowing the attacker to issue commands without raising suspicion.

9. Pivoting Inside the Victim's Network

Once inside, UNC6692 used the compromised endpoint to pivot deeper into the network. The combination of the malicious extension, AutoHotKey scripts, and C2 channels enabled lateral movement. The attackers demonstrated expertise in exploiting trusted relationships and enterprise tools to escalate privileges and access sensitive data.

10. Lessons Learned: Defending Against Snow Flurries

This campaign highlights the need for user awareness of out-of-band helpdesk impersonation, strict policies on external Teams chat acceptance, and monitoring of unusual AutoHotKey executions. Organizations should also restrict the use of headless browser processes and enforce extension whitelisting. The Snow Flurries intrusion underscores that even trusted software can be weaponized when social engineering is done right.

Conclusion: The UNC6692 campaign is a stark reminder that attackers continue to blend social engineering with custom malware in ever-more-creative ways. By understanding each stage—from the email deluge to the headless Edge backdoor—defenders can better prepare their detection and response strategies. Stay vigilant, and always verify unsolicited IT support requests.