UNC6692 Uses Helpdesk Impersonation and Custom Malware Suite to Breach Enterprise Networks
Mandiant has identified a new threat group, UNC6692, that combines social engineering via Microsoft Teams with a custom modular malware suite to achieve deep network penetration.
Google Threat Intelligence Group (GTIG) has identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim’s environment to achieve deep network penetration.
As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization. The UNC6692 campaign demonstrates an interesting evolution in tactics, particularly the use of social engineering, custom malware, and a malicious browser extension, playing on the victim’s inherent trust in several different enterprise software providers.
In late December 2025, UNC6692 conducted a large email campaign designed to overwhelm the target with messages, creating a sense of urgency and distraction. Following this, the attacker sent a phishing message via Microsoft Teams, posing as helpdesk personnel offering assistance with the email volume. The victim was prompted to click a link to install a local patch that prevents email spamming. Once clicked, the user’s browser opened an HTML page and ultimately downloaded a renamed AutoHotKey binary and an AutoHotkey script from a threat actor-controlled AWS S3 bucket.
If the AutoHotkey binary is named the same as a script file in its current directory, AutoHotkey will automatically run the script with no additional command line arguments. Evidence of AutoHotKey execution was recorded immediately following the downloads resulting in initial reconnaissance commands and the installation of SNOWBELT, a malicious Chromium browser extension (not distributed through the Chrome Web Store). The persistence of SNOWBELT was established in multiple ways, including a shortcut added to the Windows Startup folder and two additional scheduled tasks.
Using the SNOWBELT extension, UNC6692 downloaded additional files including SNOWGLAZE, SNOWBASIN, AutoHotkey scripts, and a ZIP archive containing a portable Python executable and required libraries. After gaining initial access, process execution telemetry recorded UNC6692 using a Python script to scan the local network for ports 135, 445, and 3389. The threat actor established a Sysinternals PsExec session to the victim's system via the SNOWGLAZE tunnel and executed commands to enumerate local administrator accounts.
After gaining access to a backup server, the threat actor utilized the local administrator account to extract the system's LSASS process memory with Windows Task Manager. The LSASS process contains usernames, passwords, and hashes for accounts that have accessed the system. After extracting the process memory, UNC6692 exfiltrated it via LimeWire, allowing them to extract credentials offline without detection.
Mandiant's report highlights the evolving sophistication of social engineering attacks that bypass traditional email security controls by moving to collaboration platforms like Microsoft Teams. Organizations are advised to implement strict policies for external communication, enable multi-factor authentication, and monitor for unusual AutoHotKey or headless browser activity as indicators of compromise.