UNC6692 Hackers Exploit IT Help Desk Trust to Deploy Custom Malware via Microsoft Teams
Breaking News — December 2025 — A newly tracked threat group, UNC6692, has been observed launching a sophisticated multi-stage intrusion campaign that relies on persistent social engineering, a custom modular malware suite, and deft internal pivoting. The attack, identified by Google Threat Intelligence Group (GTIG), culminated in deep network penetration after the initial breach.
The campaign began in late December 2025 with a high-volume email blast designed to overwhelm the target and create urgency. Shortly after, attackers contacted the victim via Microsoft Teams, impersonating IT helpdesk personnel and offering assistance with the email flood.
“UNC6692 demonstrates an evolution in social engineering tactics, using Microsoft Teams phishing and a malicious browser extension to exploit inherent trust in enterprise software,” said JP Glab, a GTIG researcher.
Infection Chain
The victim was prompted in Teams to click a link for a local patch that would stop email spamming. Clicking opened an HTML page hosted on a fake Microsoft-themed URL (service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com) and downloaded a renamed AutoHotKey binary and script from the same AWS S3 bucket.
Because the AutoHotKey binary and script share the same name, AutoHotKey automatically executed the script without additional command-line arguments. Execution evidence appeared immediately after download, leading to initial reconnaissance commands and installation of a malicious Chromium browser extension called SNOWBELT (not distributed via the Chrome Web Store). Mandiant could not recover the initial AutoHotKey script.
Persistence Mechanisms
SNOWBELT persistence was established through two methods: a shortcut in the Windows Startup folder that verified SNOWBELT was running, and a scheduled task that re-launched the extension if needed.
if !CheckHeadlessEdge(){ ... Run 'cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="..." --headless=new --load-extension="..." ...
The scheduled task checked for Headless Edge instances and kept the extension alive. This technique allowed attackers to maintain persistent access inside the victim’s environment.
Background
UNC6692 first appeared in late 2025 and is characterized by its heavy reliance on impersonating IT helpdesk employees. While many groups use similar social engineering, this campaign is notable for its custom malware suite and the use of the SNOWBELT browser extension, which can capture browser data and execute arbitrary commands.
The group’s infrastructure includes threat actor-controlled AWS S3 buckets and domains mimicking legitimate enterprise update pages. The attack chain required no user credentials — only the victim’s willingness to click a link and trust a Teams message from an external account.
What This Means
This campaign underscores the growing threat of attacker-controlled browser extensions as a persistence and espionage tool. Enterprises must strengthen their verification processes for IT helpdesk communications, especially those arriving via collaboration platforms like Teams.
“Organizations should enable external chat warnings, enforce multi-factor authentication for Teams, and educate users not to install software from unverified links,” advised Tufail Ahmed, a senior threat analyst at Mandiant.
The use of AutoHotKey evades traditional endpoint detection because the binary is legitimate, yet it can execute arbitrary scripts. Security teams should monitor for unexpected AutoHotKey processes and scheduled tasks pointing to headless browser instances.
This is a breaking story. More details will follow as investigations continue.