Behind the Flurries: UNC6692's Social Engineering and Malware Campaign Exposed

In late 2025, Google Threat Intelligence Group (GTIG) uncovered a sophisticated multi-stage intrusion campaign by a newly tracked threat group known as UNC6692. This group combined persistent social engineering, a custom modular malware suite, and adept network pivoting to achieve deep penetration into a target organization. Their approach mimicked common IT helpdesk scams but added unique twists—like a malicious browser extension and automated scripting—to maintain long-term access. Below, we break down the key tactics and technical details of this operation.

1. What is UNC6692 and what made their campaign unique?

UNC6692 is a newly identified threat group that executed a multi-stage intrusion campaign focused on social engineering and custom malware. What set them apart was their creative use of familiar enterprise tools and platforms to build trust. They impersonated IT helpdesk staff via Microsoft Teams, overwhelmed the victim with a flood of emails to create urgency, and then offered a fake “patch” to stop the spam. This patch was actually a renamed AutoHotKey binary and script downloaded from an attacker-controlled AWS S3 bucket. The group also deployed SNOWBELT, a malicious Chromium browser extension not available on the Chrome Web Store, to maintain persistence and surveil the victim’s browsing activity. Their ability to pivot inside the network and blend in with legitimate IT workflows made this campaign particularly dangerous.

2. How did UNC6692 use social engineering to trick the victim?

The social engineering chain began with a large email campaign targeting the victim in late December 2025. This flood of messages created distraction and urgency—a common psychological trigger. Shortly after, the attacker contacted the victim via Microsoft Teams, posing as the IT helpdesk team offering assistance with the email overload. The victim was asked to click a link to install a local patch that would “prevent email spamming.” This link opened an HTML page and triggered the download of a renamed AutoHotKey binary and script from an AWS S3 bucket. By impersonating trusted internal support channels and exploiting the victim’s frustration with spam, UNC6696 bypassed typical security awareness training that warns against unknown email attachments.

3. What was the initial infection chain involving Microsoft Teams and AutoHotKey?

The infection started when the victim accepted a Microsoft Teams chat invitation from an external account pretending to be helpdesk. The attacker sent a link to a URL like https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=..., described as a Microsoft Spam Filter update. When clicked, the browser opened an HTML page that downloaded two files from the same S3 bucket: a renamed AutoHotKey binary and an AutoHotKey script with the same name. Because AutoHotKey automatically executes a script if it shares a name with the binary in the same directory, the script ran without manual intervention. Evidence of execution was immediately recorded, followed by initial reconnaissance commands and the installation of the SNOWBELT browser extension. The original script was not recovered, but its effects were clear.

4. How did the AutoHotKey script work and what was SNOWBELT?

The renamed AutoHotKey binary was designed to automatically run a script file with the same name when executed from a directory—this is a built-in behavior of AutoHotKey. The script itself was not recovered, but its actions included running initial reconnaissance commands and deploying SNOWBELT, a malicious Chromium browser extension. SNOWBELT was not distributed through the Chrome Web Store; instead, it was loaded locally via the --load-extension command-line flag in headless Microsoft Edge. Its purpose appeared to be monitoring and exfiltrating browser data, potentially including credentials, sessions, and web traffic. By using a browser extension, UNC6692 could persist even if the user closed the browser, as long as the extension loaded via scheduled tasks or startup scripts.

5. How was SNOWBELT persistence established?

UNC6692 ensured SNOWBELT remained active through multiple persistence mechanisms. First, a shortcut to an AutoHotKey script was added to the Windows Startup folder, so it ran every time the user logged in. Second, the script checked for a Scheduled Task that launched a headless Microsoft Edge browser with the SNOWBELT extension loaded. The AutoHotKey script code (partially recovered) included logic to verify that SNOWBELT was running: it called COM objects for the Task Scheduler, searched for a specific task, and ran it. If the task was not found, the script would launch Edge with parameters like --user-data-dir="..." --headless=new --load-extension="...". This headless mode made the extension invisible to the user while continuing to execute. The combination of startup folder and scheduled tasks made removal difficult without deep system inspection.

6. What are the key defensive takeaways from this UNC6692 campaign?

This campaign highlights several critical lessons for organizations. First, social engineering via collaboration platforms (Teams, Slack) is increasingly common—users should verify any unsolicited IT help requests through a separate channel. Second, attackers are leveraging legitimate tools like AutoHotKey and browser extensions to bypass traditional endpoint detection. Deploying application whitelisting and restricting script execution can help. Third, the use of external S3 buckets for malware delivery suggests that web filtering and DNS controls should block known malicious cloud storage URLs. Finally, monitoring for unusual browser launch commands (e.g., --headless or --load-extension) can reveal hidden extension activity. A layered defense combining user training, endpoint security, and behavioral analytics is essential to counter such sophisticated intrusions.