Anatomy of a Social Engineering Attack: How UNC6692 Deployed Custom Malware via Helpdesk Impersonation

Introduction

In late December 2025, Google Threat Intelligence Group (GTIG) uncovered a sophisticated multi-stage intrusion campaign by a newly tracked threat actor, UNC6692. The attackers leveraged persistent social engineering, a custom modular malware suite, and deft lateral movement within the victim’s environment to achieve deep network compromise. This guide breaks down the exact steps the attackers followed—from initial reconnaissance to persistent access—to help security professionals understand and defend against similar threats. The campaign notably relied on impersonating IT helpdesk employees via Microsoft Teams, overwhelming the target with emails, then deploying a remote access browser extension disguised as a security patch.

What You Need

• Target list: Pre-identified organization with employee email addresses.
• Microsoft Teams account: An external account (outside target’s tenant) for sending chat invitations.
• AWS S3 bucket: Publicly accessible bucket configured for static website hosting.
• AutoHotkey binary and script: A renamed AHK executable and a companion script (same name) to enable automatic execution.
• Custom malware suite: Including SNOWBELT (a malicious Chromium browser extension) and reconnaissance payloads.
• Phishing HTML page: A fake “Microsoft Spam Filter Updates” page hosted in the S3 bucket.
• Command and control (C2) infrastructure: Servers to receive beaconing and exfiltrated data.

Step-by-Step Guide

Step 1: Overwhelm the Target with a Large Email Campaign

UNC6692 began by flooding the victim’s inbox with a high volume of emails over a short period. This served two purposes: it created a sense of urgency and distraction, and it provided a plausible pretext for the subsequent social engineering call. The emails appeared legitimate and were crafted to confuse the recipient about their origin. Ensure the email campaign is large enough that the target feels overwhelmed but not so noisy that it triggers automated security alerts.

Step 2: Initiate Contact via Microsoft Teams Posing as Helpdesk

Shortly after the email flood, the attacker sent a Microsoft Teams chat invitation from an account outside the target’s organization. The attacker impersonated an IT helpdesk employee, offering to assist with the “spam issue” caused by the email influx. The message instructed the victim to click a link to install a local patch that would prevent further spamming. The link pointed to the attacker-controlled AWS S3 bucket.

Step 3: Deliver the Phishing Link and Initiate Download

The malicious link opened an HTML page (e.g., https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=target@company.com) that displayed a fake “Microsoft Spam Filter Updates” page. The page prompted the user to download a “local patch”. Behind the scenes, the HTML page served a renamed AutoHotKey binary and an identically named AHK script from the same S3 bucket. The binary and script share the same filename; AutoHotKey automatically runs the script if it matches the binary name in the same directory.

Step 4: Execute the AutoHotkey Script for Initial Reconnaissance

Once the victim runs the downloaded executable (clicking through browser warnings), AutoHotKey launches the bundled script. The script performs initial reconnaissance commands (e.g., listing processes, network connections) and then proceeds to install the SNOWBELT malicious browser extension. The script also writes a shortcut to the Windows Startup folder and creates a scheduled task to maintain persistence.

Step 5: Install the SNOWBELT Malicious Browser Extension

SNOWBELT is a Chromium browser extension not distributed via the Chrome Web Store. The script loads it into the victim’s Edge or Chrome browser by using a command like: cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft\...". This launches a headless browser instance with the extension, allowing the attacker to monitor and intercept browser traffic, steal credentials, and interact with web applications as the victim.

Step 6: Establish Persistence via Startup and Scheduled Tasks

The AutoHotKey script creates two persistence mechanisms. First, a shortcut to itself is added to the Windows Startup folder, so the script runs on every user login. Second, a scheduled task is set to launch the headless Edge browser with the SNOWBELT extension. The scheduled task uses a COM object to connect to the Task Scheduler: taskService:=ComObject("Schedule.Service"). The script checks if the scheduled task already runs the extension; if not, it launches a new instance.

Step 7: Pivot and Escalate Access

With the browser extension in place, the attacker gains persistent visibility into the victim’s online activities. They can harvest session cookies, login credentials, and MFA tokens from web applications. Using this data, the attacker pivots to other systems within the network, moving laterally to achieve deep penetration. The custom modular malware suite allows the attacker to deploy additional payloads as needed.

Tips for Defenders

• Educate employees about external Teams invitations and helpdesk impersonation. Verify requests through a secondary channel.
• Implement tenant restrictions to block Teams chats from external accounts by default.
• Monitor for unusual S3 bucket downloads and block access to known malicious cloud storage domains.
• Restrict Windows Startup folder modifications and scheduled task creation using Group Policy or EDR rules.
• Deploy browser extension policies to block sideloaded extensions not from the official store.
• Inspect AutoHotKey usage — while legitimate, it is frequently abused for initial access. Harden execution policies.
• Enable multi-factor authentication (MFA) with device attestation to mitigate session hijacking via browser extensions.