New Threat Group UNC6692 Targets Enterprises via Helpdesk Impersonation and Custom Malware

A newly tracked threat group, UNC6692, has been identified in a multi-stage intrusion campaign that leverages persistent social engineering, a custom modular malware suite, and deep network penetration, according to the Google Threat Intelligence Group (GTIG). The attackers impersonated IT helpdesk employees via Microsoft Teams, convincing victims to accept chat invitations from external accounts, then deploying a custom malware suite that includes a malicious browser extension called SNOWBELT.

Infection Chain

In late December 2025, UNC6692 launched a large email campaign to overwhelm targets with messages, creating urgency and distraction. The attackers then sent a phishing message via Microsoft Teams, posing as helpdesk staff offering assistance with the email volume.

The victim was prompted to click a link to install a 'local patch' to stop email spamming. Clicking the link opened an HTML page that downloaded a renamed AutoHotKey binary and script from a threat actor-controlled AWS S3 bucket. Because the binary shares the same name as the script in its directory, AutoHotKey automatically executed the script without extra commands.

Evidence of AutoHotKey execution was recorded immediately following the download, leading to initial reconnaissance commands and installation of SNOWBELT, a malicious Chromium browser extension not distributed through the Chrome Web Store. Mandiant was unable to recover the initial AutoHotKey script.

Persistence and Custom Malware

SNOWBELT established persistence through multiple methods. A shortcut to an AutoHotKey script was added to the Windows Startup folder, and a scheduled task was created. The script checks if a headless Edge browser is running; if not, it launches a fresh instance with the extension loaded.

This campaign demonstrates an evolution in tactics, exploiting inherent trust in enterprise software. 'UNC6692's use of social engineering, custom malware, and a malicious browser extension shows a sophisticated approach to bypassing traditional defenses,' said JP Glab, a threat analyst at GTIG.

Background

UNC6692 is a newly tracked threat group, and this campaign marks its first known operation. The attack aligns with a broader trend of attackers impersonating IT support to trick employees into installing malware. Similar incidents have been reported by other security firms in 2025, but UNC6692's custom toolkit and focus on browser extensions set it apart.

The group's reliance on AutoHotKey, a legitimate Windows automation tool, allows them to evade detection by running scripts that appear normal. The malicious extension SNOWBELT is loaded in a headless Edge browser session, making it harder for users to notice.

What This Means

Enterprises face an urgent need to strengthen verification processes for remote helpdesk interactions. 'Organizations should implement strict policies for accepting external Teams invitations and provide security awareness training that specifically addresses social engineering via collaboration platforms,' advised Tufail Ahmed, a senior threat researcher at GTIG.

This attack also highlights the risk of allowing AutoHotKey execution. Security teams should monitor for unusual AutoHotKey usage and consider restricting its deployment. The use of browser extensions as a malware vector suggests that organizations should enforce allowlisting for extensions and monitor for sideloaded add-ons.

In the long term, understanding UNC6692's tactics will help improve defenses against similar threats. The campaign serves as a reminder that social engineering remains a primary attack vector, and technical controls alone are insufficient without user vigilance.

Tags:

New Threat Group UNC6692 Targets Enterprises via Helpdesk Impersonation and Custom Malware