Snow Flurries: Inside UNC6692's Social Engineering and Custom Malware Campaign

In late 2025, Google Threat Intelligence Group uncovered a sophisticated multi-stage intrusion campaign attributed to a newly tracked threat actor, UNC6692. This group combined persistent social engineering, a custom modular malware suite, and clever network pivoting to achieve deep penetration into victim environments. Their tactics highlight how attackers exploit trust in enterprise software providers, using impersonation of IT helpdesk staff via Microsoft Teams, followed by deployment of AutoHotKey scripts and a malicious Chromium browser extension called SNOWBELT. Below we answer key questions about this campaign.

Who is UNC6692 and what makes their approach unique?

UNC6692 is a threat group first tracked by Google Threat Intelligence Group. Their campaign stands out due to its heavy reliance on social engineering combined with custom malware. Unlike many attackers who use credential theft or exploit kits, UNC6692 impersonated IT helpdesk employees to gain initial access. They sent a large email flood to overwhelm the target, then followed up with a phishing message via Microsoft Teams, posing as helpdesk offering assistance. This two-step distraction lowered the victim's guard. The group also deployed a custom modular malware suite, including a malicious browser extension (SNOWBELT) not found on official stores, and used AutoHotKey scripts for execution. Their ability to pivot inside the network after initial compromise showed sophisticated understanding of enterprise environments.

Snow Flurries: Inside UNC6692's Social Engineering and Custom Malware Campaign — Source: www.mandiant.com

How did the social engineering attack unfold step by step?

The attack began with a massive email campaign in late December 2025, sending numerous messages to the target to create urgency and distraction. Shortly after, the attacker contacted the victim through Microsoft Teams, pretending to be from IT helpdesk. They offered to help with the email spam issues and sent a link to install a local patch. The link led to an HTML page hosted on an AWS S3 bucket (service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com). Clicking it downloaded a renamed AutoHotKey binary and a script with the same name. Because AutoHotKey automatically runs a script file that shares its binary's name, execution occurred without any extra command-line arguments. This initiated reconnaissance commands and installed the SNOWBELT browser extension. The social engineering was effective because it exploited the victim's trust in Microsoft Teams and the fake helpdesk persona.

What role did AutoHotKey play in the infection chain?

AutoHotKey (AHK) was central to the initial compromise. The attacker hosted a renamed AHK binary and a script file with the same name on a controlled AWS S3 bucket. When the victim downloaded and ran the binary, AHK automatically looked for and executed the identically named script in the same directory. This technique required no additional command-line arguments, making it stealthy. The script performed initial reconnaissance commands and then installed SNOWBELT, the malicious Chrome extension. Although Mandiant could not recover the exact script, evidence of AHK execution was recorded immediately after the downloads. Additionally, AHK was used for persistence: a shortcut to an AHK script was placed in the Windows Startup folder, and a scheduled task was created to ensure the script ran repeatedly. The script checked if SNOWBELT was active and if a headless Edge browser process was running, restarting the extension if needed.

What is the SNOWBELT browser extension and how was it installed?

SNOWBELT is a custom malicious Chromium browser extension developed by UNC6692. It was not distributed through the Chrome Web Store, but instead sideloaded onto the victim's machine. After the initial AutoHotKey script ran, it loaded the extension into Microsoft Edge using the --load-extension flag. The persistence mechanism ensured SNOWBELT remained active. The extension likely allowed the attacker to intercept browser data, manipulate web content, or maintain persistent access. SNOWBELT's installation was stealthy because it used a headless Edge process to avoid detection. The AutoHotKey persistence script checked if the extension was running and if not, relaunched Edge with the extension loaded. This multi-layered persistence (startup folder and scheduled task) made removal difficult.

How did the attackers ensure persistence of their tools?

UNC6692 used multiple persistence mechanisms. First, they added a shortcut to the AutoHotKey script in the Windows Startup folder, so the script ran at each user logon. Second, they created a scheduled task that executed the same script. The AHK script itself contained logic to verify that SNOWBELT was running and that the scheduled task existed. If the extension was not active, the script would launch Microsoft Edge in headless mode with the --load-extension parameter pointing to SNOWBELT. This redundancy ensured that even if one persistence method failed (e.g., startup folder removed), the scheduled task would reinstall the extension. The script also checked for a headless Edge process to avoid multiple instances. This robust persistence strategy is typical of advanced threat actors.

What does this campaign reveal about the evolution of social engineering tactics?

UNC6692's campaign shows a clear evolution in social engineering. Attackers are moving beyond simple phishing emails to multi-channel approaches that exploit collaboration tools like Microsoft Teams. By first overwhelming the victim with emails, then offering help via Teams, they mimic a legitimate IT escalation. The use of a familiar platform (Teams) and a trusted role (helpdesk) lowered suspicion. Furthermore, the attackers incorporated custom malware and a browser extension—tools not commonly seen in social engineering intrusions. This combination of psychological manipulation and technical sophistication marks a shift toward more targeted, multi-stage attacks that leverage both human trust and technical subterfuge. Defenders must now educate users about unsolicited Teams contacts and the risks of installing supposed patches from external links.

How can organizations defend against similar campaigns?

To defend against campaigns like UNC6692, organizations should implement several measures. Train employees to verify any unsolicited IT helpdesk contact via a separate channel (e.g., phone or in-person). Disable external chat invitations in Microsoft Teams by default, or allow only from trusted domains. Use endpoint detection and response (EDR) solutions that can detect unusual AutoHotKey executions or sideloaded browser extensions. Restrict execution of scripts from non-standard directories and monitor for headless browser processes. Implement application control policies to block unauthorized binaries, even if renamed. Finally, conduct regular phishing simulations that include Teams-based scenarios. Given the attackers' use of S3 buckets, ensure web filtering blocks known malicious domains and that users cannot download unknown executables. A layered defense combining user awareness, technical controls, and monitoring is essential.