Decoding Snow Flurries: A Step-by-Step Breakdown of UNC6692's Social Engineering Malware Campaign

By ⚡ min read

Introduction

In late December 2025, the Google Threat Intelligence Group (GTIG) uncovered a sophisticated intrusion campaign by a newly tracked threat actor, UNC6692. This group leveraged persistent social engineering, a custom modular malware suite, and clever lateral movement to achieve deep network penetration. The attack chain relied heavily on impersonating IT helpdesk staff via Microsoft Teams, then tricking the victim into installing a malicious AutoHotKey-based payload and a custom Chromium browser extension called SNOWBELT. This guide breaks down each phase of the attack so defenders can understand the tactics and build stronger defenses.

Decoding Snow Flurries: A Step-by-Step Breakdown of UNC6692's Social Engineering Malware Campaign — Source: www.mandiant.com

What You Need (to Understand This Attack)

Basic knowledge of Windows operating system and common enterprise software (Microsoft Teams, Outlook, Edge)
Familiarity with AutoHotKey scripting and its behavior when a script shares the same name as the binary
Understanding of Chromium browser extension installation methods (non-Web Store)
Knowledge of Windows persistence mechanisms: Startup folder and Scheduled Tasks
Access to a sample of the malicious HTML page hosted on AWS S3 (for analysis, not execution)

Step-by-Step Breakdown of UNC6692's Attack

Step 1: The Email Barrage – Creating Distraction and Urgency

The campaign began with a large-scale email campaign targeting a single organization. Attackers flooded the victim’s inbox with an overwhelming number of messages, deliberately creating a sense of urgency and cognitive overload. This distraction made the victim more likely to ignore security warnings and respond impulsively to subsequent communications.

Step 2: The Microsoft Teams Phishing Invitation

Shortly after the email flood, the attacker initiated a Microsoft Teams chat request from an external account. The chat impersonated the organization’s IT helpdesk personnel, claiming to have detected the email volume issue and offering to install a “local patch” to stop the spamming. The message included a link to an HTML page hosted on an attacker-controlled AWS S3 bucket.

Step 3: The Compromised Web Page Serves Payloads

When the victim clicked the link, the browser opened update.html (disguised as a Microsoft Spam Filter update page). This HTML page initiated a download of two files: a renamed AutoHotKey binary and an AutoHotKey script sharing the exact same filename. Because of how AutoHotKey works—if a binary and script have the same name in the same directory, the binary automatically runs the script without extra arguments—the attacker ensured seamless execution.

Step 4: Initial Reconnaissance via AutoHotKey

Once executed, the AutoHotKey script performed immediate reconnaissance commands (exact commands not recovered). It also installed the SNOWBELT browser extension. This custom Chromium extension was not distributed through the Chrome Web Store but loaded directly from a local path. The script also set up persistence mechanisms to keep SNOWBELT running after reboot.

Step 5: Persistence – Startup Folder and Scheduled Task

UNC6692 used two established persistence methods:

Startup Folder Shortcut: A shortcut to an AutoHotKey script was placed in the Windows Startup folder. This script (recovered by analysts) checks whether SNOWBELT is running and, if not, re-executes the payload.
Scheduled Task: The same script also attempts to locate a Scheduled Task within the root folder of the Task Scheduler. If found, it runs the headless Edge browser with a specific user-data directory and the SNOWBELT extension loaded.

Here is a snippet demonstrating the persistence logic:

if !CheckHeadlessEdge(){
   try{
      taskService:=ComObject("Schedule.Service")
      taskService.Connect()
      rootFolder:=taskService.GetFolder("\")
      if FindAndRunTask(rootFolder){
         Sleep 10000
         if CheckHeadlessEdge(){
            ExitApp
         }
      }
   }
   Run 'cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft

Conclusion and Defensive Tips

Understanding this attack chain helps security teams recognize the subtle signs of social engineering combined with custom malware delivery. The use of legitimate tools (AutoHotKey) and platforms (Teams, AWS) makes detection harder. Below are key takeaways and recommendations.

Tips for Defending Against Similar Campaigns

Enforce external chat restrictions: Configure Microsoft Teams to block or warn users about chat invitations from external domains unless explicitly allowed.
Audit and restrict AutoHotKey usage: Monitor for AutoHotKey executions, especially binaries with matching script files in the same directory. Consider application whitelisting.
Block non-Store browser extensions: Use group policies to prevent loading of unpacked extensions from local paths. Chromium-based browsers can enforce this via ExtensionInstallBlocklist.
Implement user awareness training: Teach employees to verify helpdesk requests through a separate channel (e.g., phone call) before clicking links or installing software.
Monitor for unusual AWS S3 access: Look for downloads from unfamiliar S3 buckets, especially those with filenames mimicking IT update pages.
Inspect Scheduled Tasks and Startup items: Regularly audit startup folders and task scheduler for unexpected entries referencing headless browser processes or AutoHotKey scripts.
Deploy endpoint detection rules: Create detections for the specific command line pattern used to launch headless Edge with a user-data directory and extension load.

By learning from the email barrage to the persistence setup, defenders can better anticipate and neutralize similar social engineering-driven malware campaigns.