In late December 2025, a newly tracked threat group called UNC6692 executed a sophisticated multi-stage intrusion campaign, dubbed 'Snow Flurries' by Google Threat Intelligence Group. This campaign uniquely combined persistent social engineering, a custom modular malware suite, and a malicious browser extension to achieve deep network penetration. Unlike typical phishing attacks, UNC6692 impersonated IT helpdesk staff via Microsoft Teams, exploiting the victim's trust in enterprise software providers. Below we explore the key aspects of this operation.

Who is UNC6692 and what was the Snow Flurries campaign?

UNC6692 is a newly tracked threat group identified by Google Threat Intelligence Group (GTIG). Their 'Snow Flurries' campaign, active in late 2025, was a multi-stage intrusion that used a combination of social engineering, custom malware, and a malicious browser extension. The group targeted an organization by first overwhelming the victim with a large email campaign, then reaching out via Microsoft Teams posing as IT helpdesk support. This approach allowed them to gain initial access and deploy a custom modular malware suite. The campaign demonstrated an evolution in tactics, particularly in how the attackers leveraged trust in enterprise software to bypass security controls and achieve deep network penetration.

How did UNC6692 use social engineering to initiate the attack?

The attack began with a large email campaign designed to flood the victim’s inbox, creating urgency and distraction. Shortly after, the attacker contacted the victim through Microsoft Teams, impersonating an IT helpdesk employee. They offered assistance with the email volume and directed the victim to click a link to install a local patch that would stop the spam. This social engineering tactic played on the victim’s inherent trust in both the helpdesk role and the Microsoft Teams platform. By posing as a helpful colleague, the attacker lowered suspicion and increased the likelihood of the victim following instructions. For more details on what happened after clicking the link, see the infection chain.

What was the infection chain after the victim clicked the link?

Once the victim clicked the link provided in the Teams chat, their browser opened an HTML page hosted on a threat actor-controlled AWS S3 bucket. This page then triggered the download of two files: a renamed AutoHotKey binary and an AutoHotKey script that shared the same filename. Because AutoHotKey automatically runs a script with the same name as the binary in the current directory, execution occurred without additional command-line arguments. Evidence of AutoHotKey execution was recorded immediately after the downloads, leading to initial reconnaissance commands and the installation of a malicious Chromium browser extension called SNOWBELT. Unfortunately, Mandiant was unable to recover the initial AutoHotKey script, but the subsequent steps were confirmed.

What is SNOWBELT and how was it deployed?

SNOWBELT is a malicious Chromium browser extension crafted by UNC6692. It was not distributed through the Chrome Web Store, meaning it had to be loaded manually. The extension was installed via a headless Edge browser process using command-line flags. Specifically, the attacker used: msedge.exe --user-data-dir="..." --headless=new --load-extension="...". This approach disguised the extension’s presence and allowed it to run in a hidden browser window. SNOWBELT likely performed credential theft, traffic monitoring, or other malicious actions, though Mandiant’s report focused on its deployment mechanism. The extension’s persistence was carefully maintained through multiple methods, as described in the following section.

How did UNC6692 ensure persistence of SNOWBELT?

The attackers established persistence for SNOWBELT in at least two ways. First, they placed a shortcut to an AutoHotKey script in the Windows Startup folder. This script checked if the extension was running and, if not, relaunched it via a scheduled task. The AutoHotKey code explicitly searched for an existing scheduled task and, if found, ran it. If the headless Edge process was not active, the script would start it again. Second, a scheduled task itself was created to run the same AutoHotKey script periodically. This redundancy ensured that even if one persistence mechanism failed, the other would restore the extension. The combination of startup folder and scheduled task highlighted the group’s attention to maintaining long-term access.

What makes this campaign distinct from other social engineering attacks?

Several factors set the Snow Flurries campaign apart. First, the use of AutoHotKey as a living-off-the-land binary allowed the attacker to execute a script without custom malware at the initial stage. Second, the deployment of a custom Chromium browser extension (SNOWBELT) outside the official store gave unique monitoring capabilities. Third, the combination of email flood and Teams social engineering showed an evolution in how attackers manipulate victims across multiple communication channels. Finally, the group demonstrated deft pivoting inside the victim’s environment, going beyond simple credential theft to achieve deep network penetration. These techniques collectively indicate a well-resourced threat actor adapting methods from both cybercrime and espionage playbooks.