Trust Exploited: How UNC6692's Social Engineering Chain Delivered Custom Malware

In late 2025, the Google Threat Intelligence Group (GTIG) uncovered a sophisticated multi-stage intrusion campaign orchestrated by a newly tracked threat actor, UNC6692. This operation combined persistent social engineering, a custom modular malware suite, and clever lateral movement to gain deep access into targeted networks. The campaign highlights an evolution in attacker tradecraft, particularly the abuse of trusted enterprise platforms like Microsoft Teams and the use of a malicious browser extension to maintain stealthy persistence.

The Social Engineering Assault

Like many modern intrusions, UNC6692 relied heavily on impersonating IT helpdesk staff. However, the group added a layer of psychological manipulation by first overwhelming the victim with a flood of spam emails, creating urgency and confusion. This set the stage for a subsequent phishing message via Microsoft Teams, where the attacker—posing as a helpful helpdesk employee—offered to resolve the email issue.

Overwhelming Email Campaign

In late December 2025, UNC6692 launched a large-scale email campaign targeting one individual. The goal was not to deliver malware initially but to disrupt and distract. The victim received an abnormally high volume of messages, which likely caused alarm and a desire for a quick fix. This distraction technique made the subsequent social engineering more effective.

Teams Impersonation

Soon after the email deluge, the victim received a Microsoft Teams chat invitation from an external account. The attacker claimed to be from the organization's helpdesk and offered assistance with the spam problem. The victim, already stressed by the email overload, accepted the invite. The attacker then directed the victim to click a link to install a "local patch" that would stop the email spamming. This link was the critical pivot point in the infection chain.

The Infection Chain: From Click to Payload

Once the victim clicked the link, a series of coordinated steps executed silently in the background. The victim's browser opened an HTML page that ultimately led to the download of a renamed AutoHotKey binary and a matching script file from a threat actor-controlled Amazon S3 bucket. Both files shared the same name, a design choice by UNC6692 to exploit AutoHotKey's automatic script execution behavior.

The AutoHotKey Trick

AutoHotKey, a legitimate scripting language, can automatically run a script if the binary and script file have the same name and reside in the same folder. The attacker hosted the file at a URL like https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html, disguised as a Microsoft Spam Filter Update. Evidence in Microsoft Teams logs showed the victim accessed this link. Immediately after the download, AutoHotKey executed, performing initial reconnaissance commands and installing the primary malicious component: SNOWBELT, a custom Chromium browser extension. Notably, the extension was not distributed through the Chrome Web Store—it was loaded directly via command-line switches.

SNOWBELT: A Malicious Browser Extension

SNOWBELT is a modular browser extension designed to operate within Chromium-based browsers (like Chrome or Edge). It likely provides remote control capabilities, allowing the attacker to monitor browsing activity, inject malicious scripts, or exfiltrate credentials. The extension was loaded by Edge in headless mode, running silently without a visible UI. This persistence mechanism allowed UNC6692 to maintain long-term access while evading detection.

Persistence Mechanisms

UNC6692 ensured SNOWBELT would survive reboots through multiple overlapping persistence methods:

• Startup Folder: A shortcut to an AutoHotKey script was placed in the Windows Startup folder. The script checked if SNOWBELT was running and if a scheduled task existed.
• Scheduled Task: A task was created to re-launch the extension if it stopped. The AutoHotKey script would search for the task and, if found, run the headless Edge command that loads SNOWBELT.
• Command-Line Execution: The extension was loaded using a specific Edge command: --headless=new --load-extension="...", with the user data directory set to a non-standard location to avoid interfering with normal browsing.

The script's logic (partially recovered) shows it checks for headless Edge, verifies the scheduled task exists, and if not, launches the browser with the extension. This layered approach makes removal difficult.

Implications and Lessons

The UNC6692 campaign demonstrates a dangerous combination of social engineering, custom malware, and abuse of legitimate tools like AutoHotKey and Microsoft Teams. Key takeaways for defenders include:

• Verify IT Support Requests: Organizations should implement out-of-band verification for any helpdesk contact, especially unsolicited Teams invitations from external accounts.
• Monitor for Unusual AutoHotKey Activity: While AutoHotKey is legitimate, its use for stealthy execution should be flagged—especially when paired with unexpected browser launches.
• Restrict Browser Extension Installation: Block non-Web Store extensions or require administrative approval for any extension load via command line.
• Educate Users on Social Engineering: Teach employees to recognize distraction techniques and never install software offered via chat or phone.

This case reinforces that trust in enterprise software can be weaponized. By blending technical sophistication with human manipulation, UNC6692 achieved deep penetration. Defenders must harden both human and technical defenses to counter such threats.