UNC6692 Deploys Custom Malware via Fake IT Helpdesk Calls, Google Warns

A newly tracked threat group, UNC6692, has compromised victims through a multi-stage campaign combining persistent social engineering, a custom modular malware suite, and stealthy lateral movement, according to Google Threat Intelligence Group (GTIG). The attacks, first detected in late December 2025, exploit inherent trust in enterprise communication tools and software vendors.

The Attack Chain

UNC6692 began by flooding a target’s inbox with spam emails, creating urgency and distraction. Minutes later, an attacker posing as IT helpdesk personnel contacted the victim via Microsoft Teams, offering to fix the email overload.

"This is a textbook 'helpdesk impersonation' combined with a denial-of-service tactic," said JP Glab, a GTIG researcher. "The victim is overwhelmed and eager for assistance, making them less likely to scrutinize the Teams invitation from an external account."

The phishing message contained a link labeled as a local patch for spam filtering. Clicking it opened an HTML page hosted on a threat actor-controlled AWS S3 bucket, which downloaded a renamed AutoHotKey binary and an identically named script file.

Figure 1 snippet from Teams logs:
"url": "https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=<redacted>.com"
"description": "Microsoft Spam Filter Updates | Install the local patch to protect your account from email spamming"

Because AutoHotKey automatically executes a script with the same name as the binary, no command-line arguments were needed. The script launched reconnaissance commands and installed SNOWBELT, a malicious Chromium browser extension not available on the Chrome Web Store. Mandiant was unable to recover the initial AutoHotKey script.

Persistence and Payload

SNOWBELT’s persistence was established through multiple mechanisms. A shortcut was added to the Windows Startup folder, running an AutoHotKey script that verified the extension was active. A scheduled task also ensured the extension remained loaded.

if !CheckHeadlessEdge(){
   try{
      taskService:=ComObject("Schedule.Service")
      taskService.Connect()
      rootFolder:=taskService.GetFolder("\")
      if FindAndRunTask(rootFolder){
         Sleep 10000
         if CheckHeadlessEdge(){
         ExitApp
         }
      }
   }
   Run 'cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft

The extension ran under a headless Edge browser instance, allowing it to exfiltrate data and issue commands without alerting the user. The malware suite, dubbed SNOWBELT, is modular—researchers observed it retrieving additional payloads from command-and-control servers.

Background

UNC6692 is a new threat actor tracked by GTIG since late 2025. Their campaign marks an evolution in social engineering tactics, using trusted platforms like Microsoft Teams and Chromium extensions to bypass traditional security controls. The group has shown sophistication in blending automated tooling with manual interaction.

"What sets UNC6692 apart is their seamless integration of social engineering with custom malware," said Tufail Ahmed, a Mandiant analyst. "The use of AutoHotKey to drop a browser extension is relatively novel and difficult to detect with standard endpoint protection."

What This Means

Organizations should reinforce helpdesk authentication procedures. Employees must be trained to verify Teams invitations from external accounts and never run downloaded scripts or 'patches' offered via chat. This campaign also highlights the risk of browser extensions, even those not in official stores.

Security teams should monitor for abnormal AutoHotKey execution, especially processes originating from user downloads. The use of headless browsers for persistence is a growing trend that requires enhanced detection rules.

"This attack shows that trust, not just technology, is the attack surface," concluded Josh Kelley of GTIG. "Defenders need to assume that helpdesk impersonation will happen and build verification steps into their incident response plans."