In late December 2025, Google Threat Intelligence Group (GTIG) uncovered a sophisticated intrusion campaign by a newly tracked threat actor, UNC6692. This group orchestrated a multi-stage attack that blended persistent social engineering with custom malware and a malicious browser extension. By impersonating IT helpdesk staff, they exploited victims’ trust, overwhelmed their defenses, and pivoted deep into corporate networks. Below are the ten key elements of this campaign, revealing how UNC6692 turned a simple chat invitation into a full-scale network compromise.
1. Threat Actor Overview: UNC6692
UNC6692 is a newly tracked threat group that emerged in late 2025, demonstrating advanced social engineering capabilities. Unlike many cybercriminal groups, UNC6692 focused on human trust rather than technical exploits. They tailored their approach to mimic legitimate enterprise software providers, using Microsoft Teams and email systems as entry points. Their custom malware suite, including the SNOWBELT browser extension, shows a shift toward modular, adaptable tools. This campaign highlights how attackers now blend social deception with technical innovation to bypass traditional security measures.
2. Initial Email Flood to Create Urgency
The attack began with a massive email campaign targeting the victim. In late December 2025, UNC6692 sent an overwhelming volume of spam messages to a single user, deliberately flooding their inbox. This tactic served two purposes: first, it irritated and distracted the victim, making them more receptive to help; second, it created a sense of urgency and legitimacy for the subsequent phishing message. The sheer volume of emails was designed to lower the victim’s guard, a classic social engineering technique amplified by modern communication tools.
3. Phishing via Microsoft Teams
Immediately after the email flood, the attacker reached out via Microsoft Teams. Posing as an IT helpdesk employee, they offered assistance to resolve the email spam issue. The victim was prompted to accept a chat invitation from an account outside their organization—a red flag that many overlook when under stress. This cross-platform approach exploited the victim’s trust in Microsoft’s collaboration suite. The attacker then sent a malicious link, claiming it would install a patch to prevent further spamming.
4. The Malicious Link and HTML Page
Clicking the link opened an HTML page hosted on an AWS S3 bucket controlled by the attacker. The URL (https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html) mimicked a legitimate Microsoft update page. The page itself promised a “Microsoft Spam Filter Update” and instructed the victim to download a local patch. This social engineering layer made the request appear routine and necessary. The HTML page ultimately triggered the download of a renamed AutoHotKey binary and an AutoHotKey script, both sharing the same filename.
5. Delivery of AutoHotKey Binary and Script
The attacker used a renamed AutoHotKey binary (a legitimate automation tool) to execute a malicious script. By naming the binary exactly the same as the script file in the same directory, AutoHotKey automatically ran the script without requiring command-line arguments. This technique allowed UNC6692 to execute arbitrary code while evading detection—AutoHotKey is often trusted by security software. The initial AutoHotKey script itself was not recovered, but its aftermath was clear: it launched reconnaissance commands and installed the SNOWBELT browser extension.
6. Initial Reconnaissance via AutoHotKey
After execution, the AutoHotKey script performed initial reconnaissance commands—gathering system information, checking for security tools, and verifying the victim’s access level. This stage allowed UNC6692 to map the environment before moving further. The script also established a foothold for the SNOWBELT extension. Evidence of AutoHotKey execution was recorded in system logs immediately after the download, confirming the attack chain. The rapid transition from download to recon shows how streamlined the attacker’s toolkit was.
7. SNOWBELT: A Malicious Chromium Extension
SNOWBELT is a custom malicious browser extension for Chromium-based browsers (like Microsoft Edge). It was not distributed through the Chrome Web Store—instead, it was loaded locally via the --load-extension flag. This extension gave UNC6692 persistent access to browser activities, including reading and modifying web pages, stealing credentials, and capturing keystrokes. By piggybacking on the victim’s trusted browser, SNOWBELT could operate under the radar of many security solutions. Its modular design allowed the group to update functionality remotely.
8. Establishing Persistence: Startup Folder and Scheduled Task
To ensure SNOWBELT remained active, UNC6692 used two persistence mechanisms. First, a shortcut to the AutoHotKey script was added to the Windows Startup folder, so it ran every time the user logged in. Second, a Scheduled Task was created to re-launch the script if it stopped. The AutoHotKey script included logic to check for these persistence items and re-execute them if needed. This redundancy made removal difficult—even if one method was deleted, the other would restore it.
9. Technical Persistence Script Details
The AutoHotKey script’s persistence logic looped through the Scheduled Tasks folder, looking for a specific task. If the task existed and Headless Edge (a hidden browser instance) was running, it would exit. Otherwise, it would run cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft\.... This command launched a headless Edge browser with the SNOWBELT extension loaded silently. The use of --headless=new made the browser invisible to the user, allowing continuous malicious activity without detection.
10. Campaign Implications and Evolution
The UNC6692 campaign marks a significant evolution in social engineering and malware deployment. By combining an email flood, Teams phishing, and a trusted tool like AutoHotKey, the attackers exploited human psychology and system trust. The use of a custom browser extension (SNOWBELT) for persistent eavesdropping shows a shift toward browser-based malware that evades traditional endpoint detection. This case underscores the need for organizations to train employees on cross-platform phishing, enforce multi-factor authentication, and monitor for unusual browser extension loads. Defenders must also analyze AutoHotKey scripts and scheduled tasks, as UNC6692’s methods could inspire copycat attacks.
UNC6692’s operation reminds us that the most effective cyberattacks often start with a simple conversation. Their blend of social engineering, custom code, and persistence mechanisms created a stealthy intrusion that could have gone undetected for months. By understanding each step—from the email flood to the headless browser—security teams can better protect against such adaptive threats. Vigilance and layered defenses remain the best countermeasures against attackers who think like insiders.