In late December 2025, a newly tracked threat group known as UNC6692 launched a sophisticated multi‑stage intrusion campaign that combined relentless social engineering with a custom modular malware suite. By impersonating IT helpdesk staff and exploiting trust in enterprise tools, the attackers achieved deep network penetration. This article breaks down the campaign into ten key elements, from the initial distraction to the deployment of a malicious browser extension, and explains how defenders can recognize and mitigate such threats.

1. The Emergence of UNC6692

UNC6692 is a previously undocumented threat actor identified by the Google Threat Intelligence Group (GTIG) during an investigation into a series of intrusions in December 2025. The group’s hallmark is a persistent reliance on social engineering—specifically, impersonating corporate IT helpdesk employees—to gain initial access. Unlike many attackers who rely solely on phishing emails, UNC6692 combines email, instant messaging, and custom malware to create a multi‑pronged attack. Their toolkit includes a renamed AutoHotKey binary, a custom script, and a malicious Chromium browser extension dubbed SNOWBELT. This campaign illustrates an evolution in tactics that leverages the victim’s trust in multiple enterprise software platforms simultaneously.

2. The Initial Distraction: Email Flood

Before contacting the victim, UNC6692 launched a large‑scale email campaign aimed at overwhelming the target’s inbox. Hundreds of messages, many with spam or non‑urgent content, created a sense of urgency and confusion. This deliberate noise served two purposes: it desensitized the victim to incoming messages and set the stage for the next phase—a seemingly helpful offer from “IT support.” The email flood is a classic social engineering precursor, designed to make the victim more receptive to unsolicited help. In this case, it primed the user to accept a Microsoft Teams chat invitation from an external account, a key entry point for the attacker.

3. Teams Impersonation: The Helpdesk Hook

Following the email deluge, a threat actor posing as a company helpdesk employee sent a phishing message via Microsoft Teams. The attacker claimed to be offering assistance with the excessive email volume and directed the victim to click a link to install a “local patch” that would stop spam. This social engineering technique exploits the inherent trust users place in IT support personnel and in business communication tools like Teams. The message was crafted to appear legitimate, with language mimicking internal support communications. The victim, already overwhelmed, clicked the link without verifying the sender’s identity, initiating the infection chain.

4. The Infection Chain: AutoHotKey Abuse

When the victim clicked the link, the browser opened an HTML page hosted on a threat actor‑controlled AWS S3 bucket. The page silently downloaded two files: a renamed AutoHotKey binary and an AutoHotKey script, both sharing the same filename. AutoHotKey is a legitimate scripting tool for Windows automation, but UNC6692 abused its behavior: if the binary and script share the same name in the same directory, AutoHotKey automatically runs the script without additional command‑line arguments. The script executed immediately after download, performing initial reconnaissance commands and installing the SNOWBELT browser extension. The original script was not recovered, but traces indicate it established foothold and persistence.

5. SNOWBELT: A Malicious Chromium Extension

SNOWBELT is a custom malicious extension for Chromium‑based browsers (e.g., Chrome, Edge). Unlike typical browser add‑ons, it was not distributed through the Chrome Web Store, but side‑loaded via the AutoHotKey script. Once installed, SNOWBELT could intercept and modify web traffic, steal credentials, and exfiltrate sensitive data. The extension likely posed as a legitimate IT tool or update within the browser environment, further exploiting the victim’s trust. Its design allows the attacker to persist even if the primary malware is removed, as browser extensions often evade conventional endpoint detection. This component represents a sophisticated evolution in attacker tooling.

6. Multiple Persistence Mechanisms

UNC6692 ensured long‑term access by establishing persistence in several ways. First, a shortcut to the AutoHotKey script was placed in the Windows Startup folder, so the malicious script runs automatically after every reboot. Second, a scheduled task was created to periodically check if the SNOWBELT extension is active and re‑launch it if necessary. The AutoHotKey script contained code that queries the Windows Task Scheduler—if the task exists and is running, it exits; otherwise, it relaunches the browser with the extension using command‑line arguments (--load-extension). This redundancy makes removal difficult: even if one persistence method is cleaned up, the other can reinfect the system.

7. Deep Network Pivoting

Once inside the victim’s environment, UNC6692 demonstrated deft lateral movement. Using stolen credentials harvested by SNOWBELT and initial reconnaissance data, the attackers pivoted from the compromised workstation to other systems. They targeted file servers, domain controllers, and internal web applications. The modular nature of their malware suite allowed them to deploy additional payloads as needed, maintaining stealth throughout. The group’s ability to blend in with legitimate traffic and use native tools limited the effectiveness of network‑based detection. This deep penetration suggests a well‑resourced operation with clear objectives, whether intellectual property theft or espionage.

8. Evolution of Tactics: Browser & Trust Abuse

This campaign highlights a trend in which attackers increasingly abuse trusted enterprise software—Teams, AutoHotKey, and Chromium—to gain initial access and maintain persistence. By impersonating IT support via Teams and using a legitimate scripting tool (AutoHotKey), UNC6692 reduces the likelihood of triggering security alerts. The malicious browser extension adds another layer of stealth, as extensions operate with high privileges and are rarely monitored by traditional EDR. This convergence of social engineering, legitimate tools, and custom malware represents a significant evolution from previous campaigns that relied on simpler phishing or exploit kits.

9. Detection and Response Challenges

Detecting UNC6692’s activities is challenging because they use common tools and processes. Key indicators include unusual AutoHotKey executions (especially from downloaded binaries), unexpected scheduled tasks that launch browsers with --load-extension flags, and browser extensions that are not from official stores. Logs from Microsoft Teams showing external chat invitations claiming to be from IT support are another red flag. Organizations should monitor for unusual volume of email followed by Teams messages from unknown domains. Implementing strict policies for external Teams communications and restricting AutoHotKey use can help mitigate risk. However, the social engineering component requires user awareness training to prevent the initial click.

10. Key Takeaways for Defenders

The UNC6692 campaign underscores the need for a multi‑layered defense strategy. First, educate users about the dangers of unsolicited IT support offers, even on trusted platforms like Teams. Second, enforce application allow‑listing for scripting tools like AutoHotKey, and monitor for unusual processes. Third, implement browser extension policies that only allow installations from trusted stores, and audit extensions regularly. Fourth, use email filters to detect bulk spam campaigns that might precede a social engineering attack. Finally, maintain visibility into outbound network traffic to spot data exfiltration from browser extensions. Proactive threat hunting for the specific TTPs described here can help organizations detect similar intrusions early.

In summary, UNC6692’s operation represents a sophisticated blend of social engineering, custom malware, and abuse of trusted tools. By understanding each step of the attack chain, defenders can better protect their environments against this emerging threat. Continuous monitoring, user education, and strict application controls remain the best defenses against such multi‑stage intrusions.