UNC6692 Cyber Espionage: How Fake IT Support Delivered Custom Malware via Teams

December 2025 — A newly tracked threat group, UNC6692, has been identified by Google Threat Intelligence Group (GTIG) in a multistage intrusion campaign that combined persistent social engineering, a custom modular malware suite, and agile lateral movement to achieve deep network penetration. The attack began with an orchestrated email flood to overwhelm the victim, followed by a Microsoft Teams phishing message from a fake IT helpdesk.

“UNC6692’s use of social engineering to impersonate IT support and deliver a malicious browser extension marks a significant evolution in cyber intrusion tactics,” said a GTIG analyst familiar with the investigation. The group exploited inherent trust in enterprise software providers, convincing the target to install what appeared to be a spam filter patch.

Infection Chain

The victim received a Microsoft Teams invitation from an external account. The attacker posed as helpdesk personnel offering assistance with the email overload. The victim was prompted to click a link to download a local patch. This link led to an HTML page hosted on a threat actor-controlled AWS S3 bucket: service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html.

This file initiated a download of a renamed AutoHotKey binary and a companion AutoHotKey script with the same filename. Because AutoHotKey automatically executes a script file if it shares the name with the binary in the same directory, no additional command-line arguments were needed. Execution triggered immediate reconnaissance commands and the installation of SNOWBELT, a malicious Chromium browser extension not distributed through the Chrome Web Store.

Persistence Mechanism

SNOWBELT persistence was achieved through multiple methods. The AutoHotKey script added a shortcut to the Windows Startup folder and created a scheduled task that verified SNOWBELT’s operation. The script also launched a headless Edge browser instance with the malware loaded. “This dual persistence strategy ensures the extension remains active even if one vector is removed,” the GTIG team noted.

Background

UNC6692 is part of a growing trend of threat actors leveraging social engineering to bypass technical controls. In recent years, similar campaigns have impersonated IT helpdesk staff via phone, email, and messaging platforms. The group’s use of a custom AutoHotKey loader and a bespoke browser extension shows a sophistication level aimed at long-term stealth.

The campaign was detected in late December 2025. Mandiant, which collaborated on the analysis, was unable to recover the initial AutoHotKey script, indicating the attackers may have used memory-only techniques or quickly deleted artifacts.

What This Means

This attack underscores the critical need for organizations to verify IT support requests through out-of-band channels. “No legitimate helpdesk will ask you to install software via a Teams chat from an external account,” said a senior cybersecurity advisor. Enterprises should implement strict policies to block external Teams invitations from unknown domains and disable unnecessary PowerShell or scripting engines.

The use of custom malware like SNOWBELT also highlights the arms race between defenders and attackers. While browser extension security has improved, malicious sideloading remains a threat. Companies must monitor for unusual AutoHotKey executions and inspect Chrome extension load events.

Broader Implications

UNC6692’s campaign is a reminder that technical defenses alone are insufficient. Employee training focused on spotting impersonation and creating a culture of verification is paramount. GTIG recommends deploying endpoint detection and response tools that can alert on identical-name binary and script file behavior.

“Ultimately, this incident shows that threat actors will exploit any trusted communication channel,” concluded the GTIG analyst. “The human element remains both the weakest link and the first line of defense.”