The Snow Flurries Campaign: How UNC6692 Exploited Trust to Deploy a Modular Malware Suite

Introduction

In late December 2025, Google Threat Intelligence Group (GTIG) uncovered a sophisticated multi-stage intrusion campaign attributed to a newly tracked threat actor, UNC6692. The operation relied heavily on persistent social engineering, a custom modular malware toolkit, and seamless lateral movement within the victim's environment to achieve deep network compromise. This campaign, dubbed "Snow Flurries" by researchers, marks an interesting shift in attacker tradecraft—particularly the fusion of social engineering with a custom browser extension and AutoHotKey-based payloads to abuse inherent trust in enterprise software.

Attack Flow Overview

The attack chain begins with a barrage of emails designed to overwhelm the target, followed by a fraudulent Microsoft Teams message from someone posing as IT helpdesk staff. The attacker offers help with the email storm and directs the victim to click a link to install a local spam filter patch. That link leads to an HTML page hosted on an attacker-controlled AWS S3 bucket, which in turn downloads a renamed AutoHotKey binary and a corresponding script file with the same name.

Because AutoHotKey automatically executes any script that shares its filename in the current directory, the malware runs without needing any command-line arguments. Execution logs show immediate reconnaissance commands and the installation of SNOWBELT, a malicious Chromium browser extension that is not distributed via the official Chrome Web Store.

Social Engineering Techniques

UNC6692's modus operandi mirrors other recent intrusions where attackers impersonate IT helpdesk employees. By initiating contact through Microsoft Teams from an external account, the threat actor exploits the victim's trust in both the helpdesk role and the Teams platform. The initial email flood creates urgency and frustration, making the victim more likely to accept the fake assistance.

Technical Breakdown

Infection Chain Details

The malicious link provided in the Teams chat points to:

https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=<redacted>.com

with the description "Microsoft Spam Filter Updates | Install the local patch to protect your account from email spamming". This HTML page initiates the download of the AutoHotKey binary and script. Researchers were unable to recover the initial AutoHotKey script, but observed its execution immediately after download.

Persistence Mechanisms

SNOWBELT maintains persistence through two primary methods:

• Startup Folder: A shortcut to the AutoHotKey script is placed in the Windows Startup folder, ensuring the malware runs at every user logon.
• Scheduled Task: The script also verifies that a scheduled task is present. If found, it waits and checks whether a headless Edge browser process (used by the SNOWBELT extension) is running; if not, it terminates itself.

Below is a reconstructed snippet of the AutoHotKey script's persistence logic:

if !CheckHeadlessEdge(){
   try{
      taskService:=ComObject("Schedule.Service")
      taskService.Connect()
      rootFolder:=taskService.GetFolder("\")
      if FindAndRunTask(rootFolder){
         Sleep 10000
         if CheckHeadlessEdge(){
         ExitApp
         }
      }
   }
   Run 'cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft

Custom Malware Suite

Beyond SNOWBELT, UNC6692 deployed a full custom modular malware suite. This suite enables the threat actor to execute commands remotely, exfiltrate data, and pivot to other systems within the network. The modularity allows the attackers to tailor their payloads to the victim's environment, minimizing detection and maximizing impact.

Implications and Evolution

The Snow Flurries campaign demonstrates a clear evolution in threat actor behavior. By combining traditional social engineering with novel technical components like AutoHotKey abuse and a malicious browser extension, UNC6692 bypassed common security controls. The use of a legitimate Windows tool (AutoHotKey) for malicious purposes complicates detection, as does the installation of a browser extension that operates outside official app stores.

Organizations should consider defensive measures such as restricting external Teams invitations, monitoring for AutoHotKey executions triggered by downloads, and auditing browser extensions for unauthorized installations. User awareness training that specifically highlights this type of helpdesk impersonation is also critical.

Defensive Recommendations

• Restrict External Teams Communications: Configure Microsoft Teams to block or flag external chat invitations unless approved by IT.
• Monitor for AutoHotKey Usage: Deploy detection rules for AutoHotKey processes launched from non-standard locations, especially with script files in the same directory.
• Audit Browser Extensions: Use endpoint detection and response (EDR) tools to inventory all installed browser extensions and alert on any not obtained from the Chrome Web Store or Microsoft Edge Add-ons.
• User Training: Conduct phishing simulations that include Teams-based social engineering and reinforce that IT helpdesk will never ask users to install software via external chat links.

Conclusion

UNC6692's Snow Flurries campaign is a stark reminder that attackers continue to innovate, blending psychological manipulation with technical sophistication. The use of AutoHotKey for initial payload delivery and a custom browser extension for persistence creates a multi-faceted threat that can evade traditional defenses. By understanding the specific tactics, techniques, and procedures (TTPs) employed—such as the link between the email flood and Teams message—security teams can better prepare for similar attacks.