Behind the Snow Flurries: The Anatomy of UNC6692's Social Engineering Campaign

In late 2025, a newly tracked threat group known as UNC6692 orchestrated a multi-stage intrusion campaign that blended persistent social engineering with custom modular malware. As identified by the Google Threat Intelligence Group (GTIG), the attack began with a deluge of emails to overwhelm the target, followed by a convincing Microsoft Teams message from a fake IT helpdesk. The victim was tricked into downloading a script that executed a malicious browser extension called SNOWBELT. This campaign stands out for its clever use of trusted enterprise platforms—Teams, Chrome, and AWS—to bypass defenses. Below, we unpack the key tactics, tools, and lessons from this operation through a detailed Q&A.

What is UNC6692 and why is this campaign significant?

UNC6692 is a newly tracked threat group that executed a highly coordinated intrusion campaign in late December 2025. Its significance lies in the combination of social engineering, custom malware, and a novel browser extension delivery method. Unlike many attacks that rely on a single exploit, UNC6692 orchestrated a multi-stage chain: first overwhelming the victim with emails, then sending a phishing message via Microsoft Teams impersonating IT support, and finally deploying a custom AutoHotKey script to install the malicious extension SNOWBELT. The group also established persistence through Windows Startup shortcuts and scheduled tasks. This level of sophistication—especially the use of a browser extension not distributed through official stores—marks an evolution in how attackers blend social engineering with technical malware deployment to achieve deep network penetration.

How did the attackers use social engineering to initiate the attack?

Social engineering was the cornerstone of UNC6692's initial compromise. First, the group launched a large email campaign aimed at overwhelming the victim with messages, creating urgency and distraction. Shortly after, an attacker posing as an IT helpdesk employee contacted the victim via Microsoft Teams chat—from an account outside the organization. The fake helpdesk offered assistance with the email spam and provided a link to install a "local patch" to stop the flooding. This tactic exploits inherent trust in corporate communication tools and the victim's desire to resolve a disruptive issue. By impersonating a trusted role during a moment of stress, UNC6692 lowered the victim's guard, making them more likely to click the malicious link without scrutiny.

What was the infection chain and how did AutoHotKey play a role?

The infection chain began when the victim clicked the link from the Teams message, which opened an HTML page hosted on an AWS S3 bucket. This page triggered the download of two files: a renamed AutoHotKey binary and an AutoHotKey script with the same name. AutoHotKey is a legitimate automation tool, but here it was weaponized. When the binary and script share a name in the same directory, AutoHotKey automatically executes the script without extra arguments. Evidence shows that immediately after download, the script ran reconnaissance commands and installed the malicious browser extension SNOWBELT. Although Mandiant was unable to recover the initial script, the use of AutoHotKey allowed the attackers to execute arbitrary payloads while appearing benign—a clever evasion technique that bypasses many security controls focusing on executable files.

What is SNOWBELT and how was it installed and persisted?

SNOWBELT is a malicious Chromium browser extension that was not distributed through the Chrome Web Store, making it harder to detect. It was installed by the AutoHotKey script after initial reconnaissance. To ensure persistence, the attackers used multiple methods. First, a shortcut to an AutoHotKey script was added to the Windows Startup folder; this script verified that SNOWBELT was running and that a scheduled task existed. If the extension or task was missing, it would restart them. The scheduled task itself executed a headless Microsoft Edge browser with the extension loaded, using a hidden user data directory. This layered approach meant that even if one persistence mechanism was removed, the others would restore the infection. SNOWBELT likely allowed attackers to intercept browser traffic, steal credentials, or execute further lateral movement within the victim's network.

How did the attackers leverage Microsoft Teams and email to create distraction?

UNC6692 designed a two-part distraction. First, they launched a large email campaign targeting the victim, flooding their inbox with messages. This created a sense of urgency and made the victim more receptive to help. Then, they switched to Microsoft Teams, sending a chat from an external account posing as IT support. The message claimed to offer a patch for the email spam, directing the victim to a malicious link. By using a different communication channel, the attackers exploited the fact that Teams chats often feel more immediate and less formal than email. The combination of email overload and a timely "rescue" call from a trusted service effectively distracted the victim from verifying the legitimacy of the request. This demonstrates how attackers now leverage multiple collaboration platforms in concert to manipulate users.

What are the key lessons for defenders from the UNC6692 campaign?

Defenders should take several actionable lessons from this campaign. First, multi-platform social engineering is on the rise—attackers will use email, chat, and even phone calls together. Organizations should enforce strict policies for external communication in tools like Teams, such as requiring external chat warnings or blocking them outright. Second, the use of legitimate tools like AutoHotKey for malicious purposes highlights the need for behavioral detection—monitoring for unusual parent-child process relationships, such as a downloader script spawning a browser extension. Third, persistence mechanisms like startup folders and scheduled tasks should be continuously audited. Finally, browser extensions from untrusted sources must be blocked; consider whitelisting only vetted extensions via group policy. Regular user awareness training that includes scenarios involving both email and Teams can also help reduce the effectiveness of such attacks.