Step-by-Step: How UNC6692 Used Social Engineering to Deploy Custom Malware

Introduction

In late December 2025, Google Threat Intelligence Group (GTIG) uncovered a sophisticated intrusion campaign by a previously unknown threat actor, UNC6692. This group combined persistent social engineering with a custom modular malware suite and skillful internal pivoting to achieve deep network penetration. The attack heavily relied on impersonating IT helpdesk staff, tricking a victim into accepting a Microsoft Teams chat invitation from an external account. This guide breaks down the exact steps UNC6692 followed, from initial distraction to final persistence, providing defenders with a clear understanding of the tactics used. All facts are derived from the original GTIG report.

What You Need (Attacker Perspective)

• Microsoft Teams account outside the target organization (any tenant)
• AWS S3 bucket in us-west-2 region (or other) to host malicious files
• AutoHotKey binary (renamed to match a script file)
• An AutoHotKey script that performs reconnaissance and deploys secondary payloads
• SNOWBELT malicious Chromium browser extension (not from Chrome Web Store)
• Scheduled Task creation capability (via AutoHotKey or script)
• HTML page that initiates the download chain (hosted on S3)
• Large email campaign infrastructure (to send overwhelming volume of messages)

Step-by-Step Attack Execution

1. Step 1: Launch an Overwhelming Email Campaign
   The attackers began by sending a massive volume of emails to the target organization. This barrage was designed to flood the victim's inbox, creating a sense of panic, urgency, and distraction. The goal was to make the victim more likely to accept help when contacted later.
2. Step 2: Impersonate IT Helpdesk via Microsoft Teams
   After the email flood, UNC6692 sent a phishing message through Microsoft Teams. The message appeared to come from the company's helpdesk, offering assistance to reduce the email volume. The chat request came from an account outside the victim's organization, but the impersonation was convincing enough to gain trust.
3. Step 3: Direct the Victim to a Malicious Link
   The Teams message contained a link that the victim was prompted to click to install a "local patch" to prevent further email spamming. The link pointed to a URL like https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=... with a description: "Microsoft Spam Filter Updates | Install the local patch to protect your account from email spamming." This URL was hosted on a threat actor-controlled AWS S3 bucket.
4. Step 4: Deliver the Payload via Downloaded Files
   When the victim clicked the link, their browser opened the HTML page, which triggered the download of two files from the same S3 bucket: a renamed AutoHotKey binary and an AutoHotKey script. Critically, both files shared the same name. This is because AutoHotKey automatically runs a script in the current directory if the binary is named identically—no additional command-line arguments are needed. Evidence of AutoHotKey execution was recorded immediately after the downloads.
5. Step 5: Execute Reconnaissance and Install SNOWBELT
   The AutoHotKey script performed initial reconnaissance commands (exact commands not recovered) and installed the SNOWBELT malicious Chromium browser extension. This extension was not distributed through the Chrome Web Store but loaded directly from the local file system. SNOWBELT allowed the attacker to intercept browser activity, steal credentials, or perform man-in-the-browser attacks.
6. Step 6: Establish Persistence
   The attackers ensured SNOWBELT survived reboots using two methods: a shortcut to the AutoHotKey script was added to the Windows Startup folder, and a scheduled task was created. The AutoHotKey script checked for the scheduled task and, if it found it, verified that SNOWBELT was still running. If the extension was active, the script would exit; otherwise, it would restart the headless Edge browser instance. The scheduled task command used: cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft\..."

Tips for Defenders

• Verify all helpdesk contacts: Train employees to independently verify any unsolicited IT support requests, especially those coming from external Microsoft Teams accounts. Encourage a policy of calling the helpdesk directly if in doubt.
• Monitor for unusual email volume: Deploy anti-spam solutions that can detect sudden spikes in email traffic targeting specific users. Such patterns can indicate a distraction campaign.
• Block external Teams chats by default: Configure Microsoft Teams to block chat invitations from outside your organization unless explicitly approved. This reduces the attack surface.
• Inspect AWS S3 bucket access: Monitor logs for unauthorized S3 buckets associated with your domain. UNC6692 used a bucket with a Service URL pattern that mimicked Microsoft.
• Audit AutoHotKey usage: Restrict or monitor execution of AutoHotKey binaries, especially those not installed via standard software channels. Use application whitelisting to block unknown executables.
• Check startup folder and scheduled tasks: Regularly review Windows startup items and scheduled tasks for suspicious entries, such as ones pointing to headless browser executables or non-standard extension folders.
• Enable logging for browser extension loading: Chromium Event logs can reveal when extensions are loaded from local paths. Use SIEM alerts for such events.
• Conduct social engineering drills: Regularly test employees with simulated phishing and vishing attacks to build resilience against impersonation tactics.