<div class="block-paragraph_advanced"><p>Written by: JP Glab, Tufail Ahmed, Josh Kelley, Muhammad Umair</p> <hr/></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Google Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim’s environment to achieve deep network penetration. </span></p> <p><span style="vertical-align: baseline;">As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization. The UNC6692 campaign demonstrates an interesting evolution in tactics, particularly the use of social engineering, custom malware, and a malicious browser extension, playing on the victim’s inherent trust in several different enterprise software providers. </span></p> <h3><span style="vertical-align: baseline;">Threat Details</span></h3> <p><span style="vertical-align: baseline;">In late December 2025, UNC6692 conducted a large email campaign designed to overwhelm the target with messages, creating a sense of urgency and distraction. Following this, the attacker sent a phishing message via Microsoft Teams, posing as helpdesk personnel offering assistance with the email volume.</span></p> <h4><span style="vertical-align: baseline;">Infection Chain</span></h4> <p><span style="vertical-align: baseline;">The victim was contacted through Microsoft Teams and was prompted to click a link to install a local patch that prevents email spamming. Once clicked, the user’s browser opened an HTML page and ultimately downloaded a renamed AutoHotKey binary and an AutoHotkey script, sharing the same name, from a

Read Full Article at Mandiant Blog →