The Snow Flurries Campaign: How UNC6692 Used Helpdesk Impersonation and Custom Malware to Breach Networks

In late 2025, a newly tracked threat group known as UNC6692 orchestrated a sophisticated intrusion campaign that combined persistent social engineering with a custom modular malware suite. The attackers impersonated IT helpdesk staff through Microsoft Teams, tricking a victim into installing a malicious toolset that included AutoHotKey scripts and a custom browser extension called SNOWBELT. This campaign demonstrates an evolution in tactics, leveraging trust in enterprise software and clever use of legitimate tools for malicious purposes. Below, we break down the key aspects of this threat.

Who is UNC6692 and what makes this threat group notable?

UNC6692 is a newly tracked threat group identified by the Google Threat Intelligence Group (GTIG) during a multistage intrusion campaign in late 2025. What makes them notable is their heavy reliance on social engineering combined with a custom modular malware suite. Unlike many attackers who use off-the-shelf tools, UNC6692 developed a malicious Chromium browser extension called SNOWBELT, which is not distributed through official stores. Their tactics also showcase an interesting evolution—blending impersonation of IT helpdesk personnel with automated scripts to achieve deep network penetration. The group’s ability to pivot inside the victim’s environment and maintain persistence through multiple mechanisms marks them as a sophisticated adversary.

How did UNC6692 socially engineer the victim into installing malware?

The attack began with a large email campaign designed to overwhelm the target with messages, creating urgency and distraction. Following this, the attacker sent a phishing message via Microsoft Teams, posing as helpdesk personnel offering assistance with the email volume. The victim was prompted to click a link to install a local patch that would prevent email spamming. This link led to an HTML page hosted on an attacker-controlled AWS S3 bucket, which triggered the download of a renamed AutoHotKey binary and script. By naming the binary the same as the script, the attackers ensured AutoHotKey automatically executed the malicious script without additional command-line arguments.

What role did AutoHotKey play in the infection chain?

AutoHotKey, a legitimate automation tool, was repurposed by UNC6692 as the initial execution vector. The renamed AutoHotKey binary and its accompanying script were downloaded from an AWS S3 bucket (URL: service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com). Because the binary and script shared the same name, AutoHotKey automatically ran the script when executed. Evidence shows AutoHotKey execution occurred immediately after download, leading to initial reconnaissance commands and the installation of the SNOWBELT browser extension. While Mandiant could not recover the initial script, its effects were clear: it launched a headless Edge browser to load the malicious extension and established persistence via Windows startup and scheduled tasks.

What is SNOWBELT and how does it achieve persistence?

SNOWBELT is a custom Chromium browser extension developed by UNC6692. Unlike typical browser extensions, it is not distributed through the Chrome Web Store, making it harder to detect. SNOWBELT establishes persistence through multiple methods. First, a shortcut to an AutoHotKey script is added to the Windows Startup folder. This script checks if the SNOWBELT extension is running and if a scheduled task exists. If not, it launches a headless Edge browser with the extension loaded using specific command-line arguments: --user-data-dir and --load-extension. The scheduled task acts as a backup persistence mechanism. This layered approach ensures the extension remains active even if one method fails.

What are the key indicators of compromise (IOCs) from this campaign?

Key IOCs include the AWS S3 bucket URL: service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com, which hosted the malicious HTML page (“Microsoft Spam Filter Updates”). The downloaded files included a renamed AutoHotKey binary and script, both with the same name. Execution of AutoHotKey led to the installation of the SNOWBELT extension, which uses the folder path %LOCALAPPDATA%\Microsoft\Edge\System Data for its user data directory. Network defenders should monitor for unusual AutoHotKey processes, headless Edge browser instances with non-standard flags, and outbound connections to unknown domains associated with the extension. Additionally, any unexpected scheduled tasks or startup shortcuts referencing AutoHotKey scripts should be investigated.

How can organizations defend against similar social engineering and malware attacks?

Organizations should implement multi-factor authentication and strict policies for external communications, especially via collaboration tools like Microsoft Teams. Train employees to verify IT helpdesk requests through separate channels, as attackers often impersonate trusted roles. Deploy endpoint detection and response (EDR) solutions that can flag unusual AutoHotKey usage or headless browser instances. Blocking execution of AutoHotKey for non-administrative users and monitoring for scheduled tasks with suspicious command lines can also help. Additionally, use browser extension management policies to prevent sideloaded extensions. Regularly review startup folders and task scheduler for unauthorized entries. This layered defense reduces the risk of falling victim to advanced social engineering and custom malware suites.