Defending Against the Snow Flurries Campaign: A Technical Analysis of UNC6692's Social Engineering and Custom Malware Suite

By

Overview

In late December 2025, the newly tracked threat group UNC6692 executed a sophisticated, multi-stage intrusion campaign that combined persistent social engineering, a custom modular malware suite, and adept lateral movement. Dubbed Snow Flurries, this campaign demonstrates a dangerous evolution in attacker tradecraft—particularly the abuse of enterprise communication tools and custom browser extensions. This guide provides a detailed, step-by-step breakdown of the attack chain, from initial contact through persistence, and offers defensive recommendations.

By understanding each phase, security teams can better anticipate similar tactics and harden their environments. The campaign relied heavily on impersonating IT helpdesk staff to lower victim guard, a method that succeeded despite basic security awareness training.

Prerequisites

To fully follow this analysis, readers should be familiar with:

• Social engineering techniques (pretexting, urgency)
• Microsoft Teams and its external chat capabilities
• AutoHotKey scripting and its auto-run behavior
• Chromium browser extension architecture (manifest, permissions)
• Windows persistence mechanisms (Startup folder, Scheduled Tasks)
• General knowledge of AWS S3 and phishing lures

No malware samples are required, but a test lab with EDR logging is helpful for simulating detection.

Step-by-Step Analysis of the Infection Chain

Step 1: Email Flooding and Teams Lure

UNC6692 initiated the attack with a broad email campaign designed to overwhelm the target with messages—creating confusion and a sense of urgency. Shortly after, an attacker posing as internal IT helpdesk sent a Microsoft Teams chat invitation from an account outside the organization. The pretext: “We noticed abnormal email volume; click this patch link to stop the spam.”

Technical detail: The Teams message contained a link to https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html. This HTML page was the initial payload delivery mechanism.

Step 2: Browser-Based Payload Delivery

The victim, after clicking the link, opened an HTML page in their default browser. The page appeared to be a legitimate “Microsoft Spam Filter Update” interface. Behind the scenes, it triggered the download of two files from the same AWS S3 bucket:

• A renamed AutoHotKey binary (e.g., update.exe)
• An AutoHotKey script sharing the same filename but with .ahk extension

AutoHotKey has a hidden feature: if the binary and script share the same base name in the same directory, the binary automatically executes the script without additional command-line arguments. This allowed the attacker to run arbitrary script code silently.

Step 3: Initial Reconnaissance and Extension Installation

Though the specific .ahk script was not recovered, forensic evidence shows it executed initial reconnaissance commands and installed SNOWBELT, a custom malicious Chromium browser extension. The extension was loaded from the local filesystem, not the Chrome Web Store, bypassing typical vetting. The script likely included code to:

• Collect system information (OS, installed software, network)
• Write and execute a small launcher for the extension
• Establish persistence (see Step 4)

Step 4: Persistence Mechanisms

UNC6692 used multiple methods to ensure the extension remained active across reboots:

1. Startup Folder Shortcut: A shortcut to the AutoHotKey script (or a stub) was added to C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. On login, it ran a script that checked if SNOWBELT was active.
2. Scheduled Task: The script created a Scheduled Task to periodically verify the extension’s execution. If missing, it relaunched a headless Edge browser loading the extension from %LOCALAPPDATA%\Microsoft\Edge\System Data with the flag --load-extension.

Code snippet from recovered script (partial):

if !CheckHeadlessEdge(){
   try{
      taskService:=ComObject("Schedule.Service")
      taskService.Connect()
      rootFolder:=taskService.GetFolder("\")
      if FindAndRunTask(rootFolder){
         Sleep 10000
         if CheckHeadlessEdge(){
         ExitApp
         }
      }
   }
   Run 'cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft
}

This code verifies that a headless Edge process is running with the malicious extension. If not, it launches one. The sleep 10 seconds prevents re-launch loops.

Step 5: Lateral Movement and Deep Penetration

With SNOWBELT active, the attackers used it as a foothold for further exploration. The extension could intercept browser traffic, steal credentials, and issue commands via JavaScript. Combined with AutoHotKey’s system-level access, UNC6692 pivoted to other machines, installed additional custom modules (unnamed in the report), and maintained silent persistence. The campaign demonstrated deft pivoting, likely using RDP or SMB with stolen credentials.

Common Mistakes Defenders Make

Over-reliance on Email Security Only

Many organizations focus on email gateways but ignore collaboration tools like Teams. Attackers exploit this gap—ensure your security policies cover external Teams invites and any off-web-store extension loading.

Trusting Native AutoHotKey Execution

AutoHotKey is often overlooked as a scripting platform. Monitor for unusual AutoHotKey binaries (especially if renamed or running from temp directories). EDR rules should flag AutoHotkey.exe or renamed variants.

Ignoring Headless Browser Processes

Headless browsers are commonly used for legitimate automation, but a headless Edge with a local extension path is suspicious. Create alerts for --headless --load-extension flags.

Failure to Hunt for Scheduled Tasks from Scripts

The attacker created a Scheduled Task via COM object. Many security teams ignore tasks created by non-standard processes. Audit tasks for unusual triggers or binary paths under user profiles.

Summary

UNC6692’s Snow Flurries campaign is a textbook example of modern social engineering paired with custom, low-profile malware. The use of AutoHotKey for immediate script execution, a malicious browser extension for persistent access, and multiple persistence layers makes this a challenging threat to detect. Defenders should:

• Extend social engineering awareness to collaboration platforms.
• Restrict or monitor AutoHotKey usage.
• Alert on headless browser processes loading local extensions.
• Harden Scheduled Task policies and startup folder permissions.

By learning from this attack, security teams can build more resilient defenses against similar multi-stage intrusions.

Related Articles

• Session Timeout Accessibility: Why Your Login Design May Be Excluding Users with Disabilities
• Critical Linux Kernel Flaw in AEAD Sockets Enables Page Cache Corruption
• 7 Key Facts About the OceanLotus PyPI Attack and ZiChatBot Malware
• Giant Squid DNA Confirmed in Western Australia's Ocean Waters, Scientists Announce
• Ubuntu Services Under Cyberattack: Key Questions Answered
• 7 Critical Insights into the CPU-Z Watering Hole Attack and How SentinelOne Stopped It
• DNA Analysis Unveils Identities of Four More Franklin Expedition Crew Members
• Security Firm Checkmarx Targeted in Multi-Stage Supply Chain and Ransomware Attack