In late December 2025, a previously unknown threat group dubbed UNC6692 launched a sophisticated, multistage intrusion campaign that combined relentless social engineering, custom malware, and clever pivoting to deeply penetrate a victim's network. Uncovered by Google Threat Intelligence Group (GTIG), this operation highlights how attackers increasingly abuse trust in enterprise communication tools to bypass technical defenses. Below are seven key aspects of the attack that security teams need to understand.

1. The Threat Group and Its Goals

UNC6692 is a newly tracked adversary that relies heavily on persistent social engineering to gain initial access. The group's custom modular malware suite and ability to pivot inside the victim's environment suggest a clear intent for long-term espionage or data theft. While the final objective remains undisclosed, the multi-stage approach indicates patience and advanced planning.

2. The Initial Email Flood as a Distraction

The attack began with a large-scale email campaign designed to overwhelm the target's inbox. This flood of messages created confusion and urgency, making the victim more receptive to subsequent contact. By exploiting the chaos, UNC6692 lowered the victim's guard before the real social engineering phase.

3. Impersonating IT Helpdesk via Microsoft Teams

After the email deluge, an attacker posing as a helpdesk employee contacted the victim through Microsoft Teams—using an account outside the organization. The message offered assistance with the sudden email volume and included a link to install a supposed “local patch” to stop spam. This tactic leverages the trusting relationship many employees have with IT support.

4. The AutoHotKey Infection Chain

Clicking the Teams link opened an HTML page hosted on an AWS S3 bucket (service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com). The page then downloaded a renamed AutoHotKey binary and a script file with the same name. AutoHotKey automatically executes a script if it shares the binary's name, leading to immediate execution of reconnaissance commands and installation of the SNOWBELT browser extension—all without any command-line arguments.

5. SNOWBELT: A Malicious Chromium Extension

SNOWBELT is a custom Chromium browser extension that was not distributed through the Chrome Web Store. Mandiant was unable to recover the initial AutoHotKey script, but evidence shows SNOWBELT was installed shortly after the malware ran. This extension likely allowed the attackers to monitor browsing activity, capture credentials, or perform man-in-the-browser attacks.

6. Persistence Through Startup Folder and Scheduled Tasks

To maintain access, UNC6692 established persistence in multiple ways. First, an AutoHotKey script shortcut was added to the Windows Startup folder. Additionally, a scheduled task was created to ensure the malware ran even after reboots. The script itself checks whether SNOWBELT is active and whether the scheduled task exists; if not, it re-creates the persistence mechanisms.

7. Use of Microsoft Edge in Headless Mode

The attack also involved launching a headless instance of Microsoft Edge with a custom user-data directory and loading the SNOWBELT extension. The command msedge.exe --user-data-dir=... --headless=new --load-extension=... shows how the group leveraged Edge's automation capabilities to run the extension silently in the background, avoiding detection by typical user-facing browser processes.

Conclusion

The UNC6692 campaign demonstrates a dangerous evolution in social engineering tactics. By combining a distraction email flood, Teams-based phishing, and a custom malware suite including a browser extension, the attackers exploited trust in both IT processes and enterprise software. Organizations should educate employees about out-of-band helpdesk contacts, enforce external chat restrictions, and monitor for unusual uses of AutoHotKey or headless Edge processes. Understanding these seven elements can help security teams better defend against similar multi-vector attacks.