How UNC6692 Orchestrated a Multi-Stage Attack Using Social Engineering and Custom Malware
Introduction
In a sophisticated campaign uncovered by the Google Threat Intelligence Group (GTIG), the threat actor known as UNC6692 demonstrated a chillingly effective blend of social engineering, custom malware, and browser-based attacks. This guide breaks down each phase of their operation, from the initial overwhelming email blast to the persistent foothold established via a malicious browser extension. Understanding these steps is crucial for security teams looking to defend against similar tactics used in modern intrusion campaigns.
What You Need
To replicate the UNC6692 attack methodology, the threat actor required:
- Access to a target organization’s email addresses (obtained through OSINT or prior reconnaissance).
- A Microsoft Teams account that could initiate external chat requests (often using a free or spoofed tenant).
- An AWS S3 bucket to host malicious payloads (in this case, in the
us-west-2region). - A renamed AutoHotKey binary and an accompanying AutoHotKey script with the same filename (so the binary auto-loads the script).
- A custom Chromium extension named SNOWBELT (not available in the Chrome Web Store).
- Knowledge of Windows startup folders and scheduled task creation for persistence.
Step 1: Launch a Large Email Campaign to Distract and Overwhelm
In late December 2025, UNC6692 initiated their attack by sending a massive volume of emails to the target. This wasn’t a typical spam run—it was designed to create a sense of urgency and confusion. The recipient’s inbox was flooded, making it difficult to spot the real threat. This distraction is a classic social engineering technique: when employees are overwhelmed, they’re more likely to click a “fix” link offered by someone posing as IT support.
Step 2: Reach Out via Microsoft Teams as ‘Helpdesk’
Shortly after the email deluge, the victim received a Microsoft Teams chat invitation from an account outside the organization. The sender impersonated a helpdesk technician, claiming to assist with the email volume issue. This cross-platform approach is effective because Teams messages often feel more urgent and trusted than emails. The attacker’s message contained a link to “install a local patch” that would stop the email spamming.
Step 3: Trick the Victim into Clicking the Malicious Link
The link from the Teams message pointed to a URL like:https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=...
The HTML page presented a fake Microsoft Spam Filter Update interface. When the victim clicked, it triggered the download of two files: a renamed AutoHotKey executable and an AutoHotKey script, both sharing the same filename. The attacker knew that if the AutoHotKey binary and script are in the same directory with the same name, the binary will automatically execute the script without extra command-line arguments.
Step 4: Execute the AutoHotKey Script for Reconnaissance and Payload Delivery
Once downloaded, the AutoHotKey binary ran the script immediately. (Mandiant was unable to recover the original script, but telemetry showed it executed reconnaissance commands and delivered the SNOWBELT extension.) The script likely gathered system information and checked for the presence of Headless Edge—a Chromium process used by the attacker. It also installed the SNOWBELT browser extension into a Chromium-based browser (Edge) by loading it from a local path under %LOCALAPPDATA%\Microsoft\Edge\System Data.
Step 5: Establish Persistence Through Startup Folder and Scheduled Task
To ensure SNOWBELT survived reboots, the attacker used two persistence mechanisms. First, a shortcut to an AutoHotKey script was added to the Windows Startup folder. Second, a scheduled task was created that ran the same script. The script itself included a check: if the scheduled task existed and was running, it would not launch Headless Edge again; otherwise, it would start the browser with the malicious extension. The code snippet from the recovered script shows:
if !CheckHeadlessEdge(){
try{
taskService:=ComObject("Schedule.Service")
taskService.Connect()
rootFolder:=taskService.GetFolder("\")
if FindAndRunTask(rootFolder){
Sleep 10000
if CheckHeadlessEdge(){
ExitApp
}
}
}
Run 'cmd /c start ...'This logic prevented duplicate instances and maintained a continuous backdoor.
Tips for Defending Against Such Attacks
- Educate employees about the danger of accepting unsolicited helpdesk contacts via Teams or other collaboration tools. Legitimate IT support will rarely initiate contact from an external account.
- Implement multi-factor authentication and restrict external Teams chat invitations to approved domains only.
- Monitor for unusual S3 bucket URLs in network logs, especially those that mimic software update pages.
- Use endpoint detection tools to flag AutoHotKey executions that occur shortly after browser downloads, as well as unexpected scheduled tasks in the root folder.
- Block sideloaded browser extensions by enforcing a policy that only allows extensions from the official Chrome Web Store or Edge Add-ons store.
- Conduct phishing simulations that include Teams-based attack vectors to test employee awareness.
Related Articles
- MSPs Miss Cybersecurity Revenue Windfall as Sales Strategy Lags Behind Booming Market
- Critical Linux Flaw 'CopyFail' Puts Millions of Systems at Immediate Risk – Exploit Code Released
- Streamlining Container Security: How Black Duck and Docker Hardened Images Eliminate Vulnerability Noise
- Securing Cargo: A Practical Guide to the tar Crate Vulnerability (CVE-2026-33056)
- Building Resilience Against Destructive Cyber Attacks: A 2026 Preparedness Guide
- Financial Cyberthreats in 2025: Key Trends and What to Expect in 2026
- China-Linked Cyber Espionage Group Targets Asian Governments and NATO Ally
- 10 Insights from Building a Game Boy Emulator in F#