EXECUTIVE SUMMARY:[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:[emaillocker id="1283"]
UNC6692 is a newly identified threat actor conducting a social engineeringdriven intrusion campaign aimed at gaining unauthorized access to enterprise environments. The activity is characterized using impersonation techniques, where threat actors pose as legitimate IT support personnel to deceive employees into initiating or approving remote access sessions. The campaign demonstrates a strong focus on manipulating user trust and leveraging collaboration platforms to establish an initial foothold within targeted organizations.
The attack begins with an email bombardment phase designed to distract and confuse the target, followed by a Microsoft Teams message from an external account posing as internal IT support. Victims are directed to a phishing landing page that imitates a legitimate system repair utility and prompts them to download a malicious AutoHotKey-based payload hosted on attacker-controlled cloud infrastructure. Once executed, the payload deploys a modular malware suite that includes components responsible for persistence, command execution, and internal network discovery. The malware ecosystem is structured into multiple interdependent modules that enable credential harvesting, lateral movement, and remote command execution. The operation also leverages cloud services for payload delivery and data exfiltration, allowing malicious traffic to blend with legitimate network activity and evade detection.
UNC6692 demonstrates the growing effectiveness of social engineering-driven intrusion campaigns that do not rely on exploiting software vulnerabilities but instead abuse human trust and legitimate enterprise tools. The integration of impersonation, cloud infrastructure abuse, and modular malware highlights a shift toward highly adaptive and stealthy intrusion strategies. This campaign underscores the need for stronger verification mechanisms for external communications, strict controls over collaboration platforms, and continuous monitoring of anomalous user and cloud activity to mitigate similar threats.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Resource Development | T1608.002 | Stage Capabilities | Upload Tool |
| T1608.005 | Link Target | ||
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1053.005 | Scheduled Task/Job | Scheduled Task |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| T1059.003 | Windows Command Shell | ||
| T1059.006 | Python | ||
| T1059.007 | JavaScript | ||
| T1059.010 | AutoHotKey & AutoIT | ||
| T1204.001 | User Execution | Malicious Link | |
| T1204.002 | Malicious File | ||
| T1559.001 | Inter-Process Communication | Component Object Model | |
| T1569.002 | System Services | Service Execution | |
| Persistence | T1176.001 | Software Extensions | Browser Extensions |
| T1543.003 | Create or Modify System Process | Windows Service | |
| T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder | |
| T1547.009 | Shortcut Modification | ||
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | - |
| Defense Evasion | T1027.010 | Obfuscated Files or Information | Command Obfuscation |
| T1027.015 | Compression | ||
| T1036.005 | Masquerading | Match Legitimate Resource Name or Location | |
| T1055.012 | Process Injection | Process Hollowing | |
| T1070.004 | Indicator Removal | File Deletion | |
| T1112 | Modify Registry | - | |
| T1134.001 | Access Token Manipulation | Token Impersonation/Theft | |
| T1140 | Deobfuscate/Decode Files or Information | - | |
| T1202 | Indirect Command Execution | - | |
| T1562.001 | Impair Defenses | Disable or Modify Tools | |
| T1564.001 | Hide Artifacts | Hidden Files and Directories | |
| T1622 | Debugger Evasion | - | |
| Credential Access | T1003.001 | OS Credential Dumping | LSASS Memory |
| T1003.002 | Security Account Manager | ||
| T1003.003 | NTDS | ||
| T1110.001 | Brute Force | Password Guessing | |
| T1110.003 | Password Spraying | ||
| T1552.001 | Unsecured Credentials | Credentials in Files | |
| Discovery | T1007 | System Service Discovery | - |
| T1012 | Query Registry | - | |
| T1016.001 | System Network Configuration Discovery | Internet Connection Discovery | |
| T1018 | Remote System Discovery | - | |
| T1033 | System Owner/User Discovery | - | |
| T1046 | Network Service Discovery | - | |
| T1057 | Process Discovery | - | |
| T1082 | System Information Discovery | - | |
| T1083 | File and Directory Discovery | - | |
| T1087.001 | Account Discovery | Local Account | |
| T1518.001 | Software Discovery | Security Software Discovery | |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol |
| T1021.002 | SMB/Windows Admin Shares | ||
| Collection | T1005 | Data from Local System | - |
| T1074.001 | Data Staged | Local Data Staging | |
| T1113 | Screen Capture | - | |
| T1560.001 | Archive Collected Data | Archive via Utility | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1090.003 | Proxy | Multi-hop Proxy | |
| T1105 | Ingress Tool Transfer | - | |
| T1572 | Protocol Tunneling | - | |
| Exfiltration | T1020.001 | Automated Exfiltration | Traffic Duplication |
| T1567.002 | Exfiltration Over Web Service | Exfiltration to Cloud Storage | |
| Impact | T1489 | Service Stop | - |
REFERENCES:
The following reports contain further technical details:
https://thehackernews.com/2026/04/unc6692-impersonates-it-helpdesk-via.html
https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/