Meet UNC6692: The Threat Group Hiding Attacks Inside Legitimate Cloud Traffic

UNC6692 hackers exploit social engineering and malware via AWS to steal credentials, evading traditional security measures.

By Content Team

Apr 28, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Google's Threat Intelligence Group and Mandiant have exposed a new financially motivated hacker group called UNC6692, which blends social engineering, custom malware, and AWS S3 buckets to steal credentials.

The group starts by flooding a target's inbox with spam, then impersonates IT help desk staff over Microsoft Teams, tricking victims into clicking a phishing link that silently installs malware — including a rogue browser extension, a Python backdoor, and a persistent remote access tool.

From there, attackers scan internal networks, hijack admin accounts, and dump Windows credential stores. Using legitimate cloud infrastructure lets them slip past traditional security filters undetected.

Source: Dark Reading

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

FBI Probes Cyber Attack on System Containing Surveillance Data

Mar 7, 2026

VS Code Configs Expose GitHub Codespaces to Supply Chain Attacks

Feb 5, 2026

Chinese Hackers Target Asian Organizations With Sophisticated PeckBirdy Malware

Jan 30, 2026

Bitwarden's CLI Tool Was Secretly Weaponized to Steal Cloud Credentials

Apr 25, 2026