Google Threat Intelligence Group (GTIG) has uncovered a sophisticated multi-stage intrusion campaign by a newly tracked threat actor, UNC6692. The group leveraged persistent social engineering, a custom modular malware suite, and internal network pivoting to achieve deep penetration into enterprise systems. The attack chain, which began in late December 2025, relied on impersonating IT helpdesk employees to trick victims into installing remote access tools and a malicious browser extension.
“This campaign shows a worrying evolution in social engineering tactics, particularly the abuse of enterprise collaboration tools like Microsoft Teams and the use of custom AutoHotKey-based malware,” said JP Glab, a threat analyst at GTIG. “UNC6692 preyed on the victim’s trust in familiar software and support workflows.”
Infection Chain
According to Mandiant’s report, the attack began with a large email campaign designed to overwhelm the target’s inbox and create a sense of urgency. Shortly after, the attacker contacted the victim via Microsoft Teams, posing as helpdesk staff offering assistance.
The victim was prompted to click a link to install a “local patch” to stop email spamming. Clicking the link opened an HTML page hosted on a malicious AWS S3 bucket (https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html). The page delivered a renamed AutoHotKey binary and a corresponding script file.
When the binary is named identically to a script in the same directory, AutoHotKey automatically executes that script without extra arguments. Mandiant observed immediate reconnaissance commands and the installation of SNOWBELT, a custom Chromium browser extension not available on the Chrome Web Store. The initial AutoHotKey script could not be recovered.
Persistence Mechanisms
Persistence for SNOWBELT was established through multiple methods. A shortcut to the AutoHotKey script was added to the Windows Startup folder, which verified the extension was running. Additionally, a scheduled task was created to re-launch the extension if needed.
The extension itself uses a headless Edge browser instance under the user’s profile with the --load-extension flag, allowing attackers to silently monitor or manipulate web traffic.
Background: UNC6692
UNC6692 is a newly tracked threat group that appears to target enterprise environments, particularly those with remote workforces. The group specializes in social engineering, leveraging trusted communication platforms like Microsoft Teams to impersonate IT support.
The use of AutoHotKey, a legitimate automation tool, allows UNC6692 to bypass traditional antivirus detection. The custom SNOWBELT extension further enhances their ability to steal credentials and exfiltrate data.
What This Means
This campaign highlights a persistent and adaptive threat vector that exploits human trust in corporate IT processes. Organizations must educate employees to verify helpdesk requests through alternate channels, even if they appear legitimate.
Security teams should monitor for unsolicited Microsoft Teams messages from external accounts, especially those offering “patches” or “updates.” The use of AutoHotKey and browser extensions not from official stores should be restricted or flagged for review.
Mandiant advises immediate implementation of application allowlisting and enhanced logging for Windows scheduled tasks and startup items. For more details, see the full infection chain above.