Skip to main content

Validation Content Update - April 1, 2026

  • April 1, 2026
  • 0 replies
  • 2 views
chrisf
Staff
Forum|alt.badge.img+5

VHR20260401 - April 1, 2026

The Mandiant Intelligence Validation Research Team (VRT) has published VHR20260401 - Content Expansion. This content pack requires Director version 4.14.1.0-0 or higher.

If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack from the Mandiant Documentation Portal.

Summary of Changes

  • 171 Actions added
  • 98 Files added
  • 1 Action updated

Release Highlights

  • A new Action covering APT34, an Iranian state-sponsored cyber espionage group operational since at least 2014, largely focused on phishing efforts to benefit Iranian nation-state interests.
  • New Actions covering UNC5187, a suspected Iranian cyber espionage group with moderate-confidence ties to APT34 that primarily conducts malware deployment operations.
  • New Actions covering UNC5667, a suspected subcluster of Iranian espionage actor UNC3313 that primarily conducts custom malware deployment operations via spearphishing against Israel-based organizations.
  • A new Action demonstrating Campaign 26-024, a suspected Iranian threat group UNC6729 campaign targeting Israeli citizens with PANICPOACH Android malware.
  • A new Action demonstrating Campaign 26-027, a suspected Iranian espionage-motivated threat actor UNC6085 campaign that deploys custom backdoors and info-stealers via themed decoys and Telegram API C2.
  • New Actions demonstrating Campaign 26-021, an Iranian espionage group UNC5866 campaign conducting data mining and operational interference against suspected Israeli targets using SACREDDESKSACREDGAME, and SPACEHAMMER malware.
  • New Actions demonstrating Campaign 25-079, an actor UNC6566 campaign leveraging a supply chain compromise to distribute 'Shai-Hulud' NPM Worm and using TRUFFLEHOG to steal credentials.
  • New Actions covering Campaign 26-017, which details an actor of unknown motivations deploying malware via ClickFix lures with scheduled task persistence and Defender evasion.
  • New Actions demonstrating Campaign 26-019, a campaign by UNC6572 distributing PALEKEY and DARKKEY malware via fake installers.
  • New Actions demonstrating Campaign 26-013, a financially motivated threat group UNC6692 leveraging SNOWBELTSNOWGLAZE, and SNOWBASIN for browser-based access, network exploration, and data exfiltration via LimeWire API.
  • A new Action covering Campaign 26-016, a global cyber espionage campaign by PRC-nexus threat actor UNC2814 leveraging the GRIDTIDE backdoor to exfiltrate sensitive subscriber data and monitor private communications.

For full details on this release, see the Release Notes on the Mandiant Documentation Portal.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.