New Hacking Group UNC6692 Poses as IT Help Desk to Deploy Custom Malware Suite
A newly tracked threat group, UNC6692, has been conducting a multistage intrusion campaign that leverages persistent social engineering, a custom modular malware suite, and deft pivoting inside victim networks to achieve deep penetration, Google Threat Intelligence Group (GTIG) reported today.
"This campaign shows a sophisticated evolution in social engineering tactics," said JP Glab, a threat analyst at GTIG. Attackers impersonated IT helpdesk employees and convinced victims to accept Microsoft Teams chat invitations from accounts outside their organizations.
The Infection Chain
In late December 2025, UNC6692 first overwhelmed targets with a large email campaign to create urgency and distraction, then sent phishing messages via Microsoft Teams posing as helpdesk staff offering assistance with the email volume.
The victim was prompted to click a link to install a local patch to prevent spam. Clicking the link opened an HTML page and downloaded a renamed AutoHotKey binary and script from a threat actor-controlled AWS S3 bucket.
"The AutoHotKey binary was named identically to the script file in the same directory, so it automatically executed without extra command-line arguments," explained Tufail Ahmed, another GTIG researcher. Evidence of AutoHotKey execution was recorded immediately after download, leading to initial reconnaissance commands and installation of SNOWBELT, a malicious Chromium browser extension not distributed through the Chrome Web Store.
Background
UNC6692 is a newly identified threat group with no known previous campaigns. Their reliance on impersonating IT helpdesk employees marks a continuation of a trend seen in recent years, but with an evolution in tactics including custom malware and a malicious browser extension.
The group exploited inherent trust in enterprise software providers to deliver the payload. Mandiant was unable to recover the initial AutoHotKey script, but the infection chain was observed live.
Persistence for SNOWBELT was established via multiple mechanisms: a shortcut in the Windows Startup folder that verified the extension was running, and a Scheduled Task that checked for headless Edge execution and relaunched the malware if needed.
What This Means
This campaign demonstrates that social engineering continues to be a primary vector for advanced intrusions. Organizations must enhance training to spot phishing attempts even within trusted communication platforms like Microsoft Teams.
Additionally, the use of a custom browser extension not from official app stores highlights the need for stricter controls on browser extensions and monitoring of headless browser executions. As UNC6692 refines its techniques, defenders must anticipate similar attacks that blend social engineering with custom tooling.
"Enterprises should review Teams external chat policies and educate users to verify helpdesk contacts through alternate channels," advised Josh Kelley, GTIG researcher. The group's ability to pivot inside victim environments underscores the importance of network segmentation and robust access controls.