How UNC6692 Compromised Networks: A Step-by-Step Breakdown of Their Social Engineering Attack

Introduction

In late December 2025, the Google Threat Intelligence Group (GTIG) uncovered a sophisticated multi-stage intrusion campaign orchestrated by a newly identified threat group, UNC6692. This group employed persistent social engineering, a custom modular malware suite, and strategic lateral movement to achieve deep network penetration. Their approach heavily relied on impersonating IT helpdesk staff, convincing victims to accept Microsoft Teams chat invitations from external accounts. The campaign stands out for its evolution in tactics, blending social engineering, custom malware, and a malicious browser extension to exploit the victim's trust in enterprise software providers. This guide breaks down the attack into actionable steps, helping security professionals understand and defend against such threats.

How UNC6692 Compromised Networks: A Step-by-Step Breakdown of Their Social Engineering Attack — Source: www.mandiant.com

What You Need

Understanding of social engineering techniques – familiarity with impersonation and phishing methods.
Knowledge of Microsoft Teams and email security – how external chat invitations and spam filters work.
Familiarity with Windows startup processes and scheduled tasks – persistence mechanisms.
Basic comprehension of AutoHotKey and Chromium extensions – the tools used in this campaign.
Awareness of AWS S3 bucket usage – for hosting malicious payloads.

Step-by-Step Guide

Step 1: Overwhelm the Target with Emails

UNC6692 initiated the attack by launching a large-scale email campaign directed at the victim. The goal was to flood the target's inbox with numerous messages, creating a sense of urgency and distraction. This overwhelm tactic made the victim more susceptible to subsequent social engineering attempts. The email content likely varied but focused on spam or security alerts to justify the need for 'help'.

Step 2: Impersonate Helpdesk via Microsoft Teams

Following the email deluge, the attacker sent a phishing message through Microsoft Teams. They posed as a helpdesk staff member offering assistance with the high email volume. The message included a link that appeared legitimate, claiming to install a 'local patch' to prevent email spamming. The key here was exploiting the victim's trust in a known communication platform and the urgency created by the previous step.

Step 3: Lure the Victim to Click the Malicious Link

The Teams message contained a URL pointing to a threat actor-controlled AWS S3 bucket: https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html. The page was disguised as a Microsoft Spam Filter Update, with a description like 'Install the local patch to protect your account from email spamming.' Upon clicking, the browser opened the HTML page, which ultimately triggered the download of two files: a renamed AutoHotKey binary and an AutoHotKey script, both sharing the same filename.

Step 4: Deploy AutoHotKey Binary and Script

The downloaded files included a renamed AutoHotKey executable (e.g., named something like 'update.exe') and a corresponding .ahk script with the same name. The attacker deliberately used identical names because AutoHotKey automatically runs a script if a binary with the same name exists in the current directory, without needing additional command-line arguments. This design allowed for seamless execution.

Step 5: Execute Initial Reconnaissance Commands

Once the AutoHotKey binary executed, it automatically launched the accompanying script. Evidence from forensic logs showed immediate reconnaissance commands run via AutoHotKey, such as gathering system information, checking running processes, and identifying active users. Although Mandiant could not recover the initial script, its purpose was to lay groundwork for the next stage: installing the malicious browser extension.

Step 6: Install the SNOWBELT Chromium Extension

The AutoHotKey script then proceeded to install SNOWBELT, a malicious Chromium browser extension. This extension was not distributed through the Chrome Web Store, meaning it was loaded from local files. It was designed to intercept browser traffic, steal credentials, and potentially manipulate web sessions. The script created a Chrome/Edge profile with special startup flags (--load-extension) to load the extension upon browser launch.

Step 7: Establish Persistence via Startup and Scheduled Tasks

To ensure SNOWBELT remained active even after reboots, the attacker used two persistence methods. First, a shortcut to the AutoHotKey script was added to the Windows Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup). Second, a scheduled task was created that checked for the presence of a headless Edge browser running with the extension. If the task found the headless instance missing, it would restart it using a command like: cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft ...". This dual persistence made removal more difficult.

Tips for Defending Against Similar Attacks

Verify external helpdesk contacts – Always confirm via a separate channel (e.g., phone call) if someone from IT contacts you on Teams unexpectedly.
Be wary of urgency – Attackers create a false sense of urgency to bypass critical thinking. Pause before clicking any link.
Restrict script execution – Use AppLocker or Windows Defender Application Control to block unauthorized scripts like AutoHotKey from unknown sources.
Monitor for unsanctioned browser extensions – Regularly audit installed extensions on Chromium browsers, especially those not from the Web Store.
Enable logging and detection – Monitor for unusual scheduled tasks or startup folder changes, and set alerts for AutoHotKey executions.
Educate users regularly – Conduct phishing simulations and provide clear guidance on how to identify social engineering.

Tags: