Inside UNC6692: A Step-by-Step Analysis of a Sophisticated Social Engineering Attack

Introduction

In late 2025, Google Threat Intelligence Group (GTIG) uncovered a multi-stage intrusion campaign orchestrated by a newly tracked threat actor, UNC6692. This group used persistent social engineering, custom modular malware, and clever network pivoting to achieve deep penetration into victim environments. The attack begins with overwhelming email spam, followed by a convincing Microsoft Teams impersonation of IT helpdesk staff. The attacker then deploys a custom AutoHotKey script and a malicious Chromium browser extension called SNOWBELT. This guide breaks down each step of the attack chain, explaining the tactics and techniques employed. Understanding these steps helps defenders recognize and counter similar threats.

Inside UNC6692: A Step-by-Step Analysis of a Sophisticated Social Engineering Attack — Source: www.mandiant.com

What You Need (Prerequisites for the Attacker)

Before launching this campaign, the attacker assembled the following tools and resources:

AWSS3 bucket – to host the malicious payload files (HTML and AutoHotKey components).
AutoHotKey binary – a legitimate automation scripting tool, renamed to match the script name for automatic execution.
AutoHotKey script – the initial payload that performs reconnaissance and installs the browser extension.
SNOWBELT Chrome extension – a custom malicious extension that runs persistently in the browser, not distributed through the Chrome Web Store.
Microsoft Teams account – from outside the victim’s organization, used to impersonate the helpdesk.
Large email list – for the initial spam campaign to create urgency.
Windows Startup folder access – to establish persistence via a shortcut that checks for the browser extension.

Step 1: Overwhelm the Victim with Emails

The campaign begins with a large-scale email blast targeting the victim. Hundreds of messages flood the inbox, creating confusion and a sense of urgency. This distraction makes the victim more likely to accept help when the next step arrives.

Step 2: Impersonate Helpdesk via Microsoft Teams

Shortly after the email deluge, the attacker sends a Microsoft Teams chat request from an account outside the organization. The account poses as IT helpdesk personnel, offering assistance with the overwhelming email volume. The attacker leverages the victim’s trust in both the helpdesk role and the Teams platform.

Step 3: Lure Victim to Malicious Link

The Teams message includes a link that claims to install a local patch to prevent email spamming. The link points to an HTML page hosted on an AWS S3 bucket: https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html. The page is styled as a Microsoft Spam Filter Update interface.

Step 4: Deploy AutoHotKey and Script

When the victim clicks the link, the HTML page initiates downloads of two files: a renamed AutoHotKey binary and an equally named AutoHotKey script. Because the binary and script share the same filename, AutoHotKey automatically runs the script without extra command-line arguments. The script is the initial payload.

Step 5: Execute Initial Reconnaissance

Immediately after the AutoHotKey script runs, it executes reconnaissance commands to gather system information. These commands help the attacker understand the environment and plan further moves. The exact commands are not recovered, but evidence shows they run right after the downloads.

Step 6: Install SNOWBELT Browser Extension

The AutoHotKey script then installs the SNOWBELT Chromium browser extension. This extension is loaded from a local path, not the Chrome Web Store, and runs in the context of Microsoft Edge. The extension likely steals credentials, monitors browsing, or provides backdoor access.

Step 7: Establish Persistence

To ensure SNOWBELT remains active, the attacker uses multiple persistence mechanisms. First, a shortcut to an AutoHotKey script is placed in the Windows Startup folder. This script checks if the extension is running. If not, it launches a scheduled task that verifies the extension. The script also detects if the browser is in headless mode to avoid redundant execution. The persistence code includes the following logic:

if !CheckHeadlessEdge(){
   try{
      taskService:=ComObject("Schedule.Service")
      taskService.Connect()
      rootFolder:=taskService.GetFolder("\")
      if FindAndRunTask(rootFolder){
         Sleep 10000
         if CheckHeadlessEdge(){
         ExitApp
         }
      }
   }
   Run 'cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft\

This ensures that even after a reboot, the extension continues to run in the background, giving the attacker persistent access.

Tips for Organizations

Educate users – Train staff to verify unsolicited helpdesk requests via a separate channel, such as calling the IT department directly.
Monitor external Teams chats – Enable security policies that flag or block Teams invitations from outside the organization.
Inspect AutoHotKey use – Since AutoHotKey is a legitimate tool, monitor for unexpected executions of renamed binaries and scripts.
Restrict browser extension installations – Use group policies to allow only extensions from the Chrome Web Store or managed store.
Check Startup folder and scheduled tasks – Regularly audit these locations for unknown or suspicious entries.
Deploy email filtering – Use advanced spam filters to detect and block large-volume campaigns.