Snow Flurries Exposed: How UNC6692 Used Social Engineering and Custom Malware to Infiltrate Networks

Introduction

In late 2025, Google Threat Intelligence Group uncovered a sophisticated multi-stage intrusion campaign by a newly tracked threat actor, UNC6692. This group combined persistent social engineering, a custom modular malware suite, and clever network pivoting to achieve deep penetration into a victim's environment. UNC6692 impersonated IT helpdesk staff, exploited trust in Microsoft Teams, and deployed a malicious browser extension alongside AutoHotKey-based scripts. Below, we break down the attack through key questions and detailed answers.

Snow Flurries Exposed: How UNC6692 Used Social Engineering and Custom Malware to Infiltrate Networks — Source: www.mandiant.com

1. Who is UNC6692 and what was their primary objective?

UNC6692 is a newly identified threat group tracked by Google Threat Intelligence. Their campaign targeted organizations through a multi-stage intrusion, leveraging social engineering to gain initial access. The ultimate objective appears to be deep network penetration, likely for data theft, espionage, or long-term persistence. Unlike many groups, UNC6692 combined both technical and human manipulation tactics, showing a mature understanding of enterprise trust models.

2. How did UNC6692 use social engineering to trick their victim?

The group launched a large email campaign designed to overwhelm the target with messages, creating urgency and distraction. Shortly after, an attacker posing as IT helpdesk contacted the victim via Microsoft Teams, offering assistance with the email flood. They convinced the victim to accept a chat invitation from an external account—exploiting inherent trust in enterprise software. This two-pronged approach (email saturation + Teams impersonation) made the victim more likely to follow malicious instructions.

3. What was the infection chain leading to initial malware deployment?

Once the victim accepted the Teams chat, the attacker sent a link supposedly for a local patch to prevent email spamming. The link directed to an attacker-controlled AWS S3 bucket (https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html). Opening the HTML page triggered download of a renamed AutoHotKey binary and an AutoHotKey script with the same name. AutoHotKey automatically executed the script, initiating reconnaissance commands and installing the SNOWBELT browser extension.

4. What role did AutoHotKey play in the attack?

AutoHotKey is a legitimate scripting language often used for automation. UNC6692 took advantage of its behavior: if the binary and script share the same filename and are in the same directory, AutoHotKey runs the script automatically without extra command-line arguments. The attackers renamed both files identically to execute their malicious AutoHotKey script seamlessly. The script performed initial reconnaissance (checking for environments, running commands) and installed SNOWBELT. Mandiant could not recover the initial script, but its effects were observed.

5. What is SNOWBELT and how did it achieve persistence?

SNOWBELT is a malicious Chromium browser extension (not from the Chrome Web Store) that appears to steal browser data or monitor activity. Persistence was established in two ways: First, a shortcut to an AutoHotKey script was added to the Windows Startup folder. That script verified SNOWBELT was running and checked for a Scheduled Task. If the task existed and was running, the script would exit; otherwise, it launched a headless Edge browser with the SNOWBELT extension loaded. This dual approach ensured the extension stayed active across reboots.

6. How did UNC6692 avoid detection during the initial stage?

The group relied on trust in enterprise tools—Microsoft Teams and AWS S3—which are legitimate platforms rarely flagged by security solutions. By impersonating IT helpdesk, they bypassed human suspicion. The use of AutoHotKey, a legitimate binary, likely evaded endpoint detection because it wasn't inherently malicious. Additionally, the browser extension was not distributed through official stores, reducing visibility. The combination of social engineering, living-off-the-land techniques, and custom malware made detection challenging.

7. What lessons can organizations learn from this campaign?

Organizations should enforce strict external communication policies for Teams and other collaboration tools. Employees must verify IT helpdesk requests through a secondary channel. Deploy controls to block S3 buckets from unknown domains. Monitor for unusual AutoHotKey execution, especially from non-standard paths. Browser extension allowlists can prevent installation of unknown extensions. Awareness training should specifically cover social engineering via collaboration platforms, not just email. This incident highlights how threat actors evolve to exploit trust in enterprise ecosystems.

Tags: