In late 2025, Google Threat Intelligence Group (GTIG) uncovered a sophisticated intrusion campaign by a newly tracked threat group, UNC6692. This operation combined persistent social engineering, a custom modular malware suite, and clever network pivoting to achieve deep penetration. The attackers impersonated IT helpdesk staff, exploited trust in enterprise software, and deployed a malicious browser extension. Below, we answer key questions about their tactics, infection chain, and what makes this campaign notable.
1. What was the initial approach used by UNC6692 to target the victim?
UNC6692 began with a large email campaign in late December 2025 designed to overwhelm the target with messages, creating both urgency and distraction. This “email flood” set the stage for the next step: a phishing message sent via Microsoft Teams. The attacker, posing as a helpdesk employee, offered assistance with the excessive email volume. By impersonating a trusted IT support role and leveraging a familiar communication platform (Teams), they lowered the victim’s guard. This two-pronged approach—first flooding, then offering help—demonstrates a keen understanding of social engineering. The goal was to make the victim receptive to clicking a link that would lead to malware installation.
2. How did the infection chain unfold after the Teams message?
Once the victim accepted the Teams chat invitation and clicked the offered link, their browser opened an HTML page hosted on a threat actor-controlled AWS S3 bucket: https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=<redacted>.com. This page prompted the user to download a “local patch” to stop email spamming. In reality, it downloaded a renamed AutoHotKey binary (a legitimate automation tool) and an identically named AutoHotKey script from the same S3 bucket. Because the binary and script share the same name, AutoHotKey automatically executes the script without extra command-line arguments. Evidence of AutoHotKey execution was recorded immediately after the download, triggering initial reconnaissance commands and installing the SNOWBELT malicious browser extension.
3. What role did AutoHotKey play in the attack?
AutoHotKey (AHK) is a legitimate scripting language for Windows automation. In this campaign, UNC6692 repurposed it as a delivery mechanism. The attacker renamed a standard AHK binary to match the script file (e.g., both named update or similar). When the user double-clicked the binary, AHK automatically looked for a script with the same name in the same directory and executed it. This technique avoids suspicious command-line arguments that might trigger security alerts. The script then performed initial reconnaissance (e.g., checking system details) and deployed the SNOWBELT Chromium extension. Although Mandiant could not recover the initial script, its effects were observed. By leveraging a trusted, signed binary, the attackers blended in with normal software behavior.
4. What is SNOWBELT and how was it installed?
SNOWBELT is a custom malicious Chromium browser extension—not distributed through the Chrome Web Store. It was installed by the AutoHotKey script after execution. The extension likely captured browser activity, stolen credentials, or allowed remote control. For persistence, the attacker added a shortcut to an AutoHotKey script in the Windows Startup folder. This AHK script (CheckHeadlessEdge) verified that SNOWBELT was running and that a scheduled task existed. The script also launched a hidden Edge browser instance with the extension loaded: cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft.... This headless Edge process kept the extension active without a visible window.
5. How did UNC6692 maintain persistence in the victim’s environment?
Persistence was established through multiple, overlapping mechanisms. First, a shortcut to an AutoHotKey script was placed in the Windows Startup folder, ensuring it ran on every user login. Second, a scheduled task was created to re-launch the script periodically. The script itself contained logic to check if headless Edge (with SNOWBELT) was already running: if not, it would start it. The code snippet retrieved from the analysis shows a loop that searches for a specific task and, if found, runs it. After a short sleep, it verifies the headless Edge process is active; if not, it exits to avoid duplicate processes. This layered approach made removal difficult—even if the startup shortcut was deleted, the scheduled task would restore it.
6. What social engineering tactics made this campaign effective?
UNC6692 relied heavily on impersonation and trust exploitation. They posed as IT helpdesk employees—a role with inherent authority and helpful intent. By contacting the victim via Microsoft Teams (an internal-looking communication tool) and offering to fix a real problem (the email flood), they made the request seem legitimate. The use of a genuine-looking Microsoft support page hosted on AWS added credibility. Additionally, the attacker played on the victim’s trust in enterprise software like Microsoft Office and Chromium browsers. The campaign also created a sense of urgency by flooding the inbox, pushing the victim to act quickly without verifying. Combined with the silent, fileless-like deployment via AutoHotKey, these social engineering elements made the intrusion highly effective.
7. What makes this campaign different from other recent intrusions?
While many campaigns use social engineering and malware, UNC6692’s approach shows an evolution in three key areas. First, persistent social engineering—not just a single phishing email but a coordinated two-step (email flood + Teams follow-up). Second, the use of custom modular malware, including a bespoke AutoHotKey script and the SNOWBELT Chromium extension, which is not commonly seen. The extension, sideloaded outside the Chrome Web Store, allowed deep browser-level access. Third, the attackers demonstrated deft network pivoting (mentioned in the original report) to move laterally after initial access. The combination of impersonating helpdesk staff, abusing a legitimate scripting tool, and deploying a hidden browser extension represents a sophisticated evolution in threat actor tactics that bypasses many traditional defenses.