The Mandiant Intelligence Validation Research Team (VRT) has published VHR20250820 - Content Expansion. This content pack requires Director version 4.12.1.0-0 or higher.

If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack from the Mandiant Documentation Portal.

Summary of Changes

• 47 Actions added
• 28 Files added
• 3 Actions updated
• 3 Files updated

Release Highlights

• New Action demonstrating Campaign 25-029, a financially motivated threat actor campaign that uses callback phishing to steal data from legal sector entities in the United States.
• New Actions demonstrating Campaign 25-031, a China-nexus actor TEMP.Hex campaign that uses spearphishing and DLL hijacking to deliver LIGHTPIPE and WEIRDEGG malware.
• New Actions demonstrating Campaign 25-033, where an unknown threat actor used compromised webpages to deliver LUMMAC.V2 payloads.
• New Actions demonstrating Campaign 25-037, a suspected DPRK-nexus actor UNC6288 campaign targeting South Korean embassies via CANDLEFLAME and TREEFROST.
• New Actions demonstrating Campaign 25-041, a financially motivated threat actor UNC6025 campaign leveraging ATOMIC to target entities in Great Britain and Switzerland.
• New Actions demonstrating PROMPTSTEAL, a Python-based data miner leveraging the Hugging Face API and the Qwen2.5-LLM to generate Windows commands for data exfiltration, attributed to APT28.

For full details on this release, see the Release Notes on the Mandiant Documentation Portal.