UNC6692 Attack Campaign: Social Engineering and Custom Malware Used to Infiltrate Corporate Networks

By

Breaking: Google TAG Uncovers Multistage Campaign by New Threat Group

Google Threat Intelligence Group (GTIG) has identified a sophisticated intrusion campaign by a newly tracked threat actor, UNC6692, which combines persistent social engineering with a custom modular malware suite to achieve deep network penetration. The campaign demonstrates an alarming evolution in tactics, particularly in exploiting victim trust through impersonation of IT helpdesk employees via Microsoft Teams.

According to GTIG researchers, the attack began in late December 2025 with a large email campaign designed to overwhelm the target and create urgency. The threat actor then sent a phishing message through Microsoft Teams, posing as helpdesk staff offering assistance with the email volume.

Infection Chain: Teams Chat Leads to Malware Deployment

The victim was contacted via Microsoft Teams and prompted to click a link to install a local patch against email spamming. Clicking the link opened an HTML page that downloaded a renamed AutoHotKey binary and script from a threat actor-controlled AWS S3 bucket.

If the binary and script share the same filename, AutoHotKey automatically executes the script. Evidence shows initial reconnaissance commands and installation of SNOWBELT, a malicious Chromium browser extension not available on the Chrome Web Store. Mandiant could not recover the initial AutoHotKey script.

Persistence Mechanisms

UNC6692 established persistence for SNOWBELT through multiple methods. A shortcut to an AutoHotKey script was added to the Windows Startup folder to verify the extension is running, and a Scheduled Task was also created.

The script includes checks to detect Headless Edge browser instances and runs the extension with advanced parameters to evade detection.

Background: A New Threat Actor in a Growing Trend

UNC6692 is a newly tracked group that relies heavily on helpdesk impersonation, a technique also seen in other recent intrusions. The use of custom malware and a browser extension not distributed through official channels marks a significant evolution.

Google TAG attributes the campaign to UNC6692 based on infrastructure and TTPs. The attack leverages inherent trust in enterprise software, including Microsoft Teams and Outlook.

“This campaign shows a concerning evolution in social engineering tactics,” said JP Glab, a threat analyst at Google Threat Intelligence Group. “By combining email flooding, Teams impersonation, and custom malware, UNC6692 has created a highly effective infection chain.”

What This Means for Organizations

Organizations must reinforce verification procedures for IT support requests, even when they come through trusted platforms like Microsoft Teams. The attack highlights the importance of multi-factor authentication and strict controls on external communications.

Additionally, security teams should monitor for AutoHotKey execution and unusual browser extensions. The SNOWBELT extension, while not in official stores, can be loaded locally and persist through startup folders and scheduled tasks.

“Enterprises need to treat every unsolicited helpdesk contact as a potential threat,” added Tufail Ahmed, a senior researcher at Mandiant. “Blocking external Teams chat requests and verifying patches through official channels could have prevented this.”

GTIG recommends immediate review of Active Directory logs, endpoint detection systems, and browser extension policies to detect indicators of compromise associated with UNC6692.

Related Articles

• April 2026 Patch Tuesday: Record-Breaking Vulnerabilities and Active Exploits
• Cyberattack Temporarily Disrupts Canonical's Ubuntu Services and Snap Store
• How to Protect Your Repositories from the Critical GitHub RCE Vulnerability (CVE-2026-3854)
• A Practical How-To Guide: Protecting Against SMS Blaster Scams, OpenEMR Security Flaws, and the Roblox Hack Epidemic
• 7 Critical Facts About Phishing Attacks via Amazon SES
• Linux Zero-Day 'Dirty Frag' Vulnerability Poses New Threat – Experts Urge Immediate Patching
• Harnessing Frontier AI Models for Next-Generation Vulnerability Discovery
• Fortify Your Organization: A Practical Guide to Defending Against AI-Powered Vulnerability Discovery