Unpacking the Snow Flurries Attack: How UNC6692 Blended Social Engineering and Custom Malware
In late December 2025, Google Threat Intelligence Group (GTIG) uncovered a sophisticated multi-stage intrusion campaign conducted by a newly tracked threat actor, UNC6692. This operation combined relentless social engineering, a custom modular malware suite, and clever lateral movement to achieve deep network penetration. The attackers masqueraded as IT helpdesk staff, exploited trusted enterprise tools like Microsoft Teams, and deployed a malicious browser extension called SNOWBELT. Below, we answer key questions about this campaign, its techniques, and its implications for defenders.
1. Who is UNC6692 and what was their intrusion campaign?
UNC6692 is a previously unknown threat group that GTIG identified during a multi-stage intrusion campaign in late December 2025. The group's primary objective appeared to be deep network penetration through a combination of persistent social engineering, custom malware, and lateral pivoting. Unlike many attackers who rely solely on technical exploits, UNC6692 focused heavily on impersonating IT helpdesk employees to gain initial access. Their toolkit included a renamed AutoHotKey binary and script, a modular malware suite, and a Chromium browser extension called SNOWBELT, which was not distributed through the Chrome Web Store. The campaign demonstrated an evolution in tactics by exploiting victim trust in enterprise software providers like Microsoft and AWS. The attack chain began with an email flood to overwhelm the target, followed by a phishing message via Microsoft Teams offering fake assistance. This ultimately led to the installation of malicious components that enabled reconnaissance, persistence, and further compromise.
2. How did UNC6692 use social engineering against victims?
UNC6692 employed a two-phase social engineering approach. First, they launched a large email campaign targeting the victim, flooding their inbox with numerous messages to create urgency and distraction. Shortly after, an attacker posing as an IT helpdesk employee contacted the victim via Microsoft Teams—an account outside the organization—claiming to help resolve the email spam issue. The attacker convinced the victim to accept a Teams chat invitation and then to click a link to install a "local patch" to prevent spamming. This link led to an HTML page hosted on an AWS S3 bucket that downloaded a renamed AutoHotKey binary and script. The impersonation of helpdesk staff is a well-known social engineering trick, but UNC6692 refined it by timing the outreach immediately after the email flood, making the offer of assistance seem legitimate and timely. The attackers also exploited the victim's inherent trust in Microsoft Teams and familiar enterprise software providers, lowering their suspicion.
3. What was the infection chain involving AutoHotKey and SNOWBELT?
Once the victim clicked the link in the Microsoft Teams message, their browser opened an HTML page and downloaded a renamed AutoHotKey binary along with a script sharing the same name from a threat actor-controlled AWS S3 bucket (https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html). AutoHotKey is a legitimate scripting language, but in this attack it was repurposed as a loader. Because the binary and script file had the same name, AutoHotKey automatically executed the script with no command-line arguments. The script performed initial reconnaissance commands and then installed SNOWBELT, a malicious Chromium browser extension (not from the Chrome Web Store). SNOWBELT was designed to give attackers persistent access to browser sessions, credentials, and possibly more. Evidence of AutoHotKey execution was recorded immediately after the downloads. Mandiant was unable to recover the initial AutoHotKey script, but the subsequent behavior confirmed the infection chain.
4. How did UNC6692 achieve persistence with the SNOWBELT extension?
UNC6692 established persistence for the SNOWBELT browser extension through at least two mechanisms. First, a shortcut to an AutoHotKey script was added to the Windows Startup folder. This script checked if the extension was running and monitored a scheduled task. Second, a scheduled task was created to run a command that launched Microsoft Edge in headless mode with the SNOWBELT extension loaded. The AutoHotKey script included code like:
if !CheckHeadlessEdge(){
try{
taskService:=ComObject("Schedule.Service")
taskService.Connect()
rootFolder:=taskService.GetFolder("\")
if FindAndRunTask(rootFolder){
Sleep 10000
if CheckHeadlessEdge(){
ExitApp
}
}
}
Run 'cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft'
This ensured that even if the browser was closed or the system restarted, the headless Edge process with the malicious extension would restart, maintaining a persistent foothold inside the network.
5. What made the UNC6692 campaign stand out from typical intrusions?
While many modern intrusions use social engineering and malware, UNC6692's campaign demonstrated several unique and sophisticated aspects. First, the dual-phase social engineering—using email flood followed by a targeted Teams message—was carefully choreographed to maximize the victim's distraction and trust. Second, the attackers leveraged AutoHotKey in a novel way: by naming the binary and script identically, they exploited an undocumented feature of AutoHotKey to auto-run the malicious script without extra command-line arguments, making detection harder. Third, the use of a custom Chromium browser extension (SNOWBELT) that was sideloaded rather than installed from the Chrome Web Store allowed attackers to intercept browser sessions, steal cookies, and potentially bypass multi-factor authentication. Finally, the attackers showed deft pivoting inside the victim’s environment, indicating a deep understanding of network traversal. This combination of tactics—social engineering, custom tools, and browser-level exploitation—represents an evolution in threat actor tradecraft.
6. What key takeaways should defenders learn from Snow Flurries?
Defenders can extract several critical lessons from the UNC6692 campaign. First, verify external communications: any unsolicited IT helpdesk contact via Teams or other channels, especially after an email surge, should be treated with suspicion. Second, restrict the use of AutoHotKey in corporate environments, or monitor for unusual execution patterns, such as binaries running without command-line arguments. Third, enforce browser extension policies: only allow extensions from trusted sources like the Chrome Web Store, and block sideloaded or developer-mode extensions. Fourth, implement user awareness training that specifically covers the scenario of fake IT support reaching out via chat. Fifth, monitor for unusual scheduled tasks or startup folder entries that launch browsers in headless mode with custom load-extension flags. Lastly, use endpoint detection and response (EDR) tools to detect the combination of AutoHotKey downloads from cloud storage and subsequent browser extension installation. Proactive hunting for these indicators can significantly reduce the risk of similar intrusions.