Operation Snow Flurries: Inside UNC6692's Social Engineering Campaign Using Custom Malware

In late December 2025, a newly tracked threat group known as UNC6692 launched a sophisticated multi-stage intrusion campaign dubbed 'Snow Flurries'. By blending persistent social engineering, a custom modular malware suite, and clever network pivoting, the group managed to deeply penetrate a victim's environment. This campaign highlights a notable evolution in cyber threats, particularly the abuse of trusted enterprise platforms like Microsoft Teams and the deployment of a malicious Chromium browser extension. Below, we explore key questions about this attack in detail.

1. What is UNC6692, and what tactics did they use in the Snow Flurries campaign?

UNC6692 is a newly tracked threat group identified by Google Threat Intelligence Group (GTIG). Their Snow Flurries campaign exemplifies a sophisticated blend of social engineering and custom malware. The attackers began by overwhelming the target with a large email campaign, creating urgency and distraction. They then posed as IT helpdesk staff via Microsoft Teams, offering assistance. The victim was tricked into clicking a link that downloaded a renamed AutoHotKey binary and script from an AWS S3 bucket. This led to the execution of reconnaissance commands and the installation of SNOWBELT, a malicious Chrome extension. UNC6692's use of impersonation and trusted platforms marks a dangerous evolution in threat actor tactics.

2. How did UNC6692 use social engineering to gain initial access?

The initial access relied heavily on impersonating IT helpdesk employees. After flooding the victim's inbox with spam emails to create a sense of urgency, the attackers sent a Microsoft Teams message from an external account posing as helpdesk personnel. They offered to help resolve the email issue and provided a link to install a 'local patch' for spam filtering. The victim accepted the Teams chat invitation—bypassing default external communication blocks—and clicked the link. This link opened an HTML page that triggered downloads from a threat actor-controlled AWS S3 bucket. The social engineering played on the victim's inherent trust in enterprise software and the desire to resolve a frustrating problem quickly.

3. What role did AutoHotKey play in the infection chain?

AutoHotKey is a legitimate scripting language for Windows automation. In this attack, UNC6692 abused it by delivering a renamed AutoHotKey binary alongside a script file with the same name in the same directory. When executed, AutoHotKey automatically runs the script without extra command-line arguments. This allowed the attackers to execute initial reconnaissance commands and install the SNOWBELT Chrome extension. The script was not recovered by Mandiant, but evidence shows it ran immediately after the downloads. This technique is subtle because AutoHotKey is not inherently malicious, and using a renamed binary helps evade detection. The attackers leveraged this to launch their custom malware stealthily.

4. What is the SNOWBELT malicious browser extension, and how does it work?

SNOWBELT is a custom malicious Chromium browser extension created by UNC6692. It was not distributed through the Chrome Web Store, meaning it was loaded externally—likely via the --load-extension command-line argument. The extension's purpose is to persist in the browser and likely steal credentials, monitor web activity, or facilitate further attacks. It was installed as part of the AutoHotKey script execution. SNOWBELT demonstrates the group's ability to craft modular malware that can run inside a trusted application like the Edge browser. The extension uses the --user-data-dir and --headless=new flags to run undetected in the background, making it harder for the victim to notice.

5. How did UNC6692 establish persistence for SNOWBELT?

Persistence was achieved through multiple mechanisms. First, a shortcut to an AutoHotKey script was added to the Windows Startup folder, ensuring it runs at each boot. That script checked if SNOWBELT was active and if a scheduled task existed. If the scheduled task was missing, the script would recreate it. The AutoHotKey code snippet shows it uses the Schedule.Service COM object to interact with Windows Task Scheduler. It searches for a specific task and runs it, then sleeps and checks if a headless Edge process (running the SNOWBELT extension) is still alive. This multi-layered persistence makes removal difficult—even if one mechanism is deleted, the other can restore it.

6. What does this campaign reveal about the evolution of cyber threat tactics?

The Snow Flurries campaign underscores several key evolutions: (1) Social engineering now leverages multiple trusted platforms—email for distraction and Teams for impersonation. (2) Attackers are abusing legitimate tools like AutoHotKey rather than relying solely on custom executables. (3) Browser extensions loaded externally (not from official stores) offer a persistent, hard-to-detect foothold. (4) The use of multiple persistence mechanisms (Startup folder and scheduled tasks) shows advanced operational security. This campaign also demonstrates how threat actors adapt to enterprise defenses that block traditional email phishing by moving to collaboration tools. UNC6692's blend of social engineering, custom malware, and abuse of trust in software providers represents a dangerous new standard.

7. How can organizations defend against attacks like Snow Flurries?

Defending against such attacks requires a multi-layered approach. First, implement strict external communication policies for platforms like Microsoft Teams—block external chat invitations unless explicitly approved. Second, conduct regular security awareness training that covers advanced social engineering tactics, including IT impersonation and multi-vector attacks. Third, monitor for unusual use of scripting tools like AutoHotKey—especially when renamed binaries are executed from user directories. Fourth, restrict the ability to load browser extensions from outside official stores via group policies. Fifth, deploy endpoint detection and response (EDR) solutions that can detect headless browser processes and scheduled task creation. Finally, simulate phishing and spear-phishing campaigns that combine email and collaboration platforms to test employee responses.