UNC6692 Attack: New Threat Group Deploys Custom Malware Via Helpdesk Impersonation
Breaking: UNC6692 Campaign Targets Enterprise Users with Sophisticated Phishing
Google Threat Intelligence Group (GTIG) has identified a new threat group, UNC6692, that compromised networks through a multi-stage intrusion campaign combining persistent social engineering, a custom malware suite, and lateral movement. The attack, which began in late December 2025, relied on impersonating IT helpdesk employees via Microsoft Teams to trick victims into installing malicious software.
UNC6692 first overwhelmed targets with a large email campaign, creating urgency and confusion. The attacker then sent a phishing message through Microsoft Teams, posing as helpdesk staff offering assistance with the email volume. The victim was prompted to click a link to install a local “spam patch,” which instead downloaded a renamed AutoHotKey binary and script from an attacker-controlled AWS S3 bucket.
Infection Chain
Once the victim clicked the link, the browser opened an HTML page that fetched the malware from a URL resembling a Microsoft service update. The AutoHotKey binary automatically executed a script with the same filename, leading to initial reconnaissance and the installation of SNOWBELT—a malicious Chromium browser extension not distributed through the Chrome Web Store.
“UNC6692 demonstrates an evolution in social engineering tactics, exploiting inherent trust in enterprise collaboration tools,” said a GTIG analyst. “The use of AutoHotKey and a malicious browser extension allowed stealthy persistence and data collection.”
Persistence for SNOWBELT was established via a Windows Startup folder shortcut and a scheduled task. The AutoHotKey script verified the extension was running and launched a headless Edge browser instance with the extension loaded, enabling continued access.
Background
UNC6692 is a newly tracked threat group by GTIG, first observed in late 2025. The campaign reflects a broader trend of attackers leveraging social engineering to bypass technical defenses. Custom malware suites like the one used by UNC6692 are increasingly modular, allowing attackers to adapt to compromised environments.
“The multi-stage approach—overwhelming emails followed by targeted Teams messages—shows careful planning,” commented a cybersecurity expert from Mandiant. “It’s a reminder that even authorized communication channels can be weaponized.”
What This Means
Organizations must strengthen helpdesk verification processes and train employees to recognize social engineering attempts. The use of Microsoft Teams as an attack vector underscores the need for strict external chat policies and multi-factor authentication for all remote support interactions.
GTIG recommends monitoring for unusual AutoHotKey executions and unauthorized Chrome extensions. “No organization is immune to these targeted attacks,” the analyst added. “Vigilance and layered defenses remain critical.”
For more details, refer to the infection chain overview and GTIG’s full report.
Related Articles
- Anthropic’s Claude Mythos Preview Sparks Cybersecurity Emergency: AI Now Wields Autonomous Hacking Capabilities
- Breaking: Zero-Day Supply Chain Attacks Neutralized—Defenses That Stop Unseen Payloads Prove Critical
- 10 Crucial Insights for Preventing Agentic Identity Theft in the Age of AI Agents
- Google’s $1.5 Million Bug Bounty: 10 Critical Changes to Android & Chrome Rewards
- 10 Critical Insights into North Korea's AI-Powered npm Malware Campaigns
- 8 Critical Insights into MuddyWater's Deceptive Microsoft Teams Ransomware Campaign
- April 2026 Patch Tuesday: Microsoft Fixes Record 167 Flaws, Including Actively Exploited SharePoint Zero-Day and Publicly Known Defender Bug
- New Threat Group UNC6692 Exploits Helpdesk Trust to Deploy Custom Malware Suite via Microsoft Teams