Inside the Snow Flurries Campaign: UNC6692's Deceptive Social Engineering and Custom Malware

In late 2025, Google Threat Intelligence Group uncovered a sophisticated intrusion campaign by a new threat actor tracked as UNC6692. This multi-stage attack combined persistent social engineering, a custom modular malware framework, and clever lateral movement to achieve deep network compromise. By impersonating IT helpdesk staff and exploiting trust in Microsoft Teams, the attackers tricked victims into installing malware via AutoHotKey scripts and a malicious Chromium browser extension named SNOWBELT. Below are key questions and detailed answers about this operation.

What is UNC6692 and what was the Snow Flurries campaign?

UNC6692 is a newly tracked threat group identified by Google Threat Intelligence Group (GTIG) in late December 2025. The group orchestrated a campaign, internally dubbed Snow Flurries, that combined social engineering with custom malware to infiltrate organizations. Attackers used a large email flood to overwhelm targets, then followed up with a Microsoft Teams message posing as IT helpdesk support. This distraction tactic led victims to download a patch that actually delivered a malware suite. The campaign showcased advanced tactics, including the use of a custom AutoHotKey script and a browser extension for persistent access. UNC6692 leveraged victims' trust in enterprise software providers to bypass traditional security controls, achieving deep network penetration through careful pivoting.

Inside the Snow Flurries Campaign: UNC6692's Deceptive Social Engineering and Custom Malware — Source: www.mandiant.com

How did UNC6692 use social engineering to initiate the attack?

Social engineering was the cornerstone of the Snow Flurries campaign. First, the attackers sent a barrage of spam emails to the victim, creating confusion and urgency. Then, via Microsoft Teams, an attacker posing as a helpdesk representative contacted the victim, offering assistance with the email deluge. This impersonation played on the victim's inherent trust in corporate helpdesk processes. The attacker instructed the victim to click a link to install a local patch to stop the spamming. The link led to a malicious HTML page hosted on an AWS S3 bucket, which downloaded the malware. By mimicking legitimate support workflows and using a trusted collaboration platform, UNC6692 exploited both psychological and technical vulnerabilities, making the victim an unwitting participant in their own compromise.

What was the infection chain involving AutoHotKey?

The infection chain began when the victim clicked the Teams link, which opened an HTML page that silently downloaded a renamed AutoHotKey binary and an identically named script file from threat actor-controlled AWS S3 storage. AutoHotKey, a legitimate automation tool, has a feature where if the executable and script share the same name in the same directory, the script runs automatically. Evidence showed AutoHotKey execution immediately after download, with the script performing initial reconnaissance and deploying the SNOWBELT Chromium extension. Although Mandiant could not recover the initial script, it confirmed the process. The attacker used a phishing email subject about Microsoft Spam Filter Updates to lure victims. The AWS S3 path reflected the fake update service name, further convincing the user of authenticity.

What is SNOWBELT and how did it achieve persistence?

SNOWBELT is a malicious Chromium browser extension deployed by UNC6692, but not distributed through the Chrome Web Store. It was loaded directly by the AutoHotKey script into a headless Edge browser instance. To maintain persistence, the attackers used multiple methods. First, a shortcut to an AutoHotKey script was added to the Windows Startup folder, ensuring SNOWBELT launched at every boot. Additionally, the AutoHotKey script checked for a scheduled task and created one to re-run the extension if missing. The code snippet from the campaign shows the script verifying the extension is running and using the Windows Task Scheduler API to find and execute the task. This dual persistence technique ensured consistent access even if one method was removed.

How did UNC6692 exploit trust in enterprise software?

The campaign targeted trust in several enterprise tools. By using Microsoft Teams for contact and framing the malware as a Microsoft Spam Filter Update, attackers leveraged brand recognition to lower suspicion. The HTML page and download link were crafted to mimic official Microsoft update procedures. Additionally, the attackers abused AutoHotKey, a legitimate Windows automation utility, to execute their malicious script. The SNOWBELT extension, while not from the Chrome Web Store, was loaded in a way that resembled legitimate browser management. This multifaceted exploitation of trust made the attack particularly effective, as victims believed they were taking recommended actions to solve a problem, not introducing malware.

What tactics made the Snow Flurries campaign unique?

The Snow Flurries campaign stands out due to its integration of social engineering, custom malware, and browser extension deployment. Unlike many attacks that rely on a single method, UNC6692 blended a phishing email wave with live Teams impersonation, creating a sense of urgency that reduced user caution. The use of AutoHotKey as a dropper is not common and allowed the attackers to run reconnaissance commands stealthily before deploying the SNOWBELT extension. The extension itself provided persistent remote access and could intercept browser data. Finally, the group's ability to pivot inside the victim's network after initial compromise demonstrated advanced lateral movement skills. This combination of psychological manipulation, custom code, and platform abuse represents an evolution in threat actor capabilities.