New Threat Group UNC6692 Exploits Helpdesk Trust to Deploy Custom Malware Suite via Microsoft Teams
Urgent: Google Identifies Sophisticated Social Engineering Campaign Targeting Enterprises
Google Threat Intelligence Group (GTIG) has uncovered a multi-stage intrusion campaign by a newly tracked threat actor, UNC6692, that leverages persistent social engineering and custom malware to achieve deep network penetration. The attack, active since late December 2025, exploits inherent trust in enterprise software by impersonating IT helpdesk personnel via Microsoft Teams, a tactic that has proven alarmingly effective.
"This campaign represents a significant evolution in social engineering tactics," said JP Glab, a threat intelligence analyst at Google. "UNC6692 combines a high volume of email distractions with a trusted communication channel to trick victims into installing malicious software."
The Attack: How UNC6692 Breached Networks
The attacker first conducted a large email campaign designed to overwhelm the target with messages, creating urgency and confusion. Shortly after, the victim received a Microsoft Teams chat from an account appearing to be the IT helpdesk, offering assistance with the email volume. The message contained a link to a supposed spam filter patch.
"The victim is lulled into a false sense of security because the request comes through a platform they use daily for legitimate helpdesk interactions," explained Tufail Ahmed, a senior threat researcher at Google. "This two-step distraction is a hallmark of UNC6692's approach."
Infection Chain: AutoHotKey and the SNOWBELT Extension
Once the victim clicked the link, their browser opened an HTML page hosted on a threat actor-controlled AWS S3 bucket. The page silently downloaded a renamed AutoHotKey binary and an accompanying script—both sharing the same filename—without the user's knowledge. AutoHotKey automatically executed the script because the binary and script were in the same directory, requiring no additional command-line arguments.
Evidence of AutoHotKey execution was recorded immediately after the download, leading to initial reconnaissance and installation of a malicious Chromium browser extension called SNOWBELT. This malicious extension was not distributed through the Chrome Web Store, indicating custom development. "The use of an undocumented browser extension gives UNC6692 persistent access and allows them to monitor browser activity, a highly stealthy technique," said Josh Kelley, a malware analyst at Google.
Persistence Mechanisms
UNC6692 ensured SNOWBELT remained active through multiple persistence methods. A shortcut to an AutoHotKey script was added to the Windows Startup folder, verifying SNOWBELT was running and that a scheduled task existed to relaunch it if terminated. The script included logic to check for a headless Edge browser process before launching the extension.
"This multi-layered persistence makes it extremely difficult for traditional endpoint detection to remove the threat," noted Muhammad Umair, incident response lead at Google.
Background: The Rise of Helpdesk Impersonation
Social engineering attacks impersonating IT support have become increasingly common in recent years. Attackers exploit the trust employees place in helpdesk personnel, especially when contact occurs through enterprise tools like Microsoft Teams or Slack. UNC6692's campaign represents an evolution by combining email flooding, Teams phishing, and custom malware—all tailored to exploit enterprise environments.
Google's Threat Intelligence Group tracks dozens of similar groups, but UNC6692 stands out for its use of a custom AutoHotKey dropper and a bespoke browser extension. This level of customization suggests a well-resourced adversary with specific targeting goals.
What This Means: Urgent Recommendations for Enterprises
This campaign underscores the need for organizations to implement strict verification procedures for IT helpdesk requests—even those coming through trusted platforms. "Employees should be trained to independently verify any unsolicited contact from IT via a separate channel, such as a phone call or in-person visit," said Glab. "No legitimate helpdesk will ask you to download software from an external link."
Additionally, companies should monitor for AutoHotKey execution and suspicious scheduled tasks, as well as restrict browser extension installation to those from official stores. The use of SNOWBELT highlights the risk of allowing unsigned extensions in enterprise environments. Google recommends enabling security features that block sideloaded extensions and reviewing startup folder entries for anomalies.
UNC6692's tactics are likely to be adopted by other threat groups, making immediate action critical. Victims are advised to perform full incident response scans and consider network segmentation to limit lateral movement.
Related Articles
- Weekly Cybersecurity Threat Landscape: April 20th Edition
- China-Linked Hackers Breach Asian Governments, NATO Ally, Journalists in Coordinated Cyber Campaign
- Centralize Your Certificate Lifecycle: How to Orchestrate Public CAs with IBM Vault
- 7 Critical Updates: Understanding the Attack That Took Ubuntu Services Offline
- Linux Kernel AEAD Socket Bug: A Detailed Q&A on the Page Cache Vulnerability
- China-Linked Cyber Espionage Group Targets Asian Governments and NATO Ally
- How to Defend Against Emerging Cyber Threats: Fake Cell Towers, OpenEMR Vulnerabilities, and Roblox Account Thefts
- Securing Your Python Pipeline: A Guide to Defending Against Supply Chain Attacks Like the PyTorch Lightning Incident