UNC6692 Combines Social Engineering, Malware, Cloud Abuse in Novel Attack Chain
Google Threat Intelligence and Mandiant have identified a new financially motivated threat actor, UNC6692, that blends social engineering via Microsoft Teams with custom malware and AWS S3 bucket abuse.
Google Threat Intelligence Group (GTIG) and Mandiant have disclosed a new financially motivated threat actor, tracked as UNC6692, that employs a sophisticated multi-stage attack chain combining social engineering, custom malware, and abuse of legitimate cloud infrastructure. The group's campaign, first observed in late December 2025, targets victims through a coordinated flood of email messages followed by a Microsoft Teams call from someone posing as help desk personnel. The attacker then delivers a phishing link that downloads a renamed AutoHotKey binary and script from an attacker-controlled AWS S3 bucket, initiating a chain of compromise.
The technical mechanism relies on AutoHotKey's behavior: if the binary and script share the same name in the same directory, the script executes automatically without additional command-line arguments. Once executed, the script installs SNOWBELT, a malicious Chromium browser extension not distributed through the Chrome Web Store. Through SNOWBELT, the attacker deploys additional payloads including the Snowglaze Python tunneler, the Snowbasin Python bindshell backdoor, and a portable Python environment. This modular approach allows the attacker to maintain persistence and execute remote commands.
After gaining initial access, UNC6692 uses a Python script to scan the local network for open ports 135, 445, and 3389 and enumerates local administrator accounts. Using a local admin account, the attacker initiates an RDP session through the Snowglaze tunneler from the victim system to a backup server. From there, the threat actor extracts LSASS process memory using LimeWire to capture credentials, then employs pass-the-hash techniques to move laterally to the domain controller, preparing for data exfiltration.
The impact of this campaign is significant due to its novel blend of techniques. By abusing AWS S3 buckets for payload delivery and command-and-control, UNC6692 bypasses traditional network reputation filters and blends into legitimate cloud traffic. Google has published indicators of compromise (IOCs) and YARA rules to aid detection. An AWS spokesperson stated that the company prohibits abuse of its services and encourages reporting through its Trust & Safety team.
Google's analysis emphasizes that defenders must now look beyond process monitoring to gain visibility into browser activity and browser activity and unauthorized cloud traffic. As threat actors continue to professionalize modular, cross-platform methodologies, the ability to correlate disparate events across the browser, local Python environments, and cloud egress points will be critical for early detection. The UNC6692 campaign underscores the evolving sophistication of financially motivated threat actors who combine social engineering with technical evasion and cloud abuse.