Skip to main content

Validation Content Update - June 24, 2026

  • June 24, 2026
  • 0 replies
  • 0 views
C
Staff
Forum|alt.badge.img+5

VHR20260624 - June 24, 2026

The Mandiant Intelligence Validation Research Team (VRT) has published VHR20260624 - Content Expansion. This content pack requires Director version 4.14.1.0-0 or higher.

If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack from the Mandiant Documentation Portal.

Summary of Changes

  • 370 Actions added
  • 329 Files added
  • 14 Actions updated
  • 6 Files updated

Release Highlights

  • New Actions demonstrating Campaign 25-002, where UNC5487 conducts a social engineering campaign to deliver REMCOS and SHADOWLADDER.
  • New Actions demonstrating Campaign 25-082, a suspected Iranian espionage threat actor UNC1549 campaign leveraging TWOSTROKE malware against Azerbaijan and Turkish-based organizations.
  • A new Action covering FLUXWEAVE leveraged in Campaign 25-076 by UNC6527 to deliver a downloader.
  • New Actions demonstrating Campaign 25-039, a distribution cluster UNC1543 campaign leveraging FAKEUPDATES and deceptive lures to facilitate initial access leading to ransomware and extortion.
  • A new Action covering Campaign 25-042, a North Korean Actor UNC1069 campaign employing advanced social engineering, including occasional deepfakes, to deploy macOS malware, such as BIGMACHO, for cryptocurrency theft.
  • A new Action covering Campaign 26-059, which involves the deployment of VIDAR infostealer via the NEONSLIDE PowerShell downloader.
  • New Actions demonstrating Campaign 26-060, a financially motivated actor UNC6780 campaign conducting a software supply chain attack via GitHub Actions cache poisoning and deploying the FIRESCALE credential stealer.
  • New Actions demonstrating Campaign 26-063, a Chinese Espionage Threat Actor campaign deploying BADTILE and using RegSvr32 Scriptlet Bypass for execution.
  • New Actions demonstrating Campaign 26-071, an Iran-nexus threat group UNC5795 campaign conducting espionage operations against Middle Eastern targets using HOTAIRAEROSTAT, and TREEWORLD.
  • A new Action covering Campaign 26-014, a North Korea-nexus threat actor UNC5342 campaign deploying Python backdoors, including JADESNOW, to target GitHub repositories for unauthorized code modification.
  • A new Action covering Campaign 26-072, a China-nexus financial gain actor UNC6727 deploying SUNBRICKED malware via trojanized VPN installer.
  • New Actions demonstrating Campaign 26-080, a campaign by a financially motivated actor deploying malicious LNK payloads via fake browser updates to establish persistence with OAKSHADE and RIVERSTONE.
  • New Actions covering UNC5669, a threat cluster of unknown motivation active since July 2024 that has used social engineering tactics to gain access to networks and exfiltrate code documents.
  • New Actions covering UNC4769, a financially motivated threat cluster that has monetized access via PLAYCRYPT ransomware and frequently used BEACON.
  • New Actions demonstrating Campaign 26-075, a campaign by UNC6633 that deploys JADECLIP malware via trojanized software to impair defenses and establish remote access, targeting entities in China and Taiwan.
  • New Actions covering financially motivated threat cluster UNC2165 that deploys various ransomware families including HADESLOCKBITCONTI, and RANSOMHUB.
  • A new Action covering UNC6279, a suspected Russian threat group that uses social engineering and help desk impersonation via phishing or chat platforms to establish AnyDesk sessions and deploy VEILDRIVE malware.
  • New Actions covering UNC6240, a financially motivated threat cluster primarily responsible for the extortion phase of operations branded under the ShinyHunters name.
  • A new Action covering UNC6492, an espionage-motivated threat cluster targeting South Korean entities in various sectors.
  • New Actions covering UNC6863, a suspected China-nexus actor that has leveraged a supply chain compromise of DAEMONTOOLS to deploy BADFALL and SLICKDEMON to compromised systems.
  • New Actions covering UNC6828, a suspected Russian threat group motivated by financial gain that has been identified using a command-and-control framework dubbed “Tuk Tuk” and leveraged Anthropic’s Claude LLM to facilitate its cloud-native intrusion activities.
  • A new Action covering financially motivated threat cluster UNC5142 which compromises vulnerable WordPress sites to distribute malicious payloads via CLEARFAKE malware, with observed final payloads including AMADEY and LUMMAC.V2.
  • A new Action covering UNC6868, a suspected Eastern Europe-nexus threat group leveraging malicious scripts and multi-stage downloads to deploy SHUBSTAKE to target user credentials, browser data, and cryptocurrency assets.
  • New Actions covering BLUEBEAM, a publicly available webshell management tool written in JAVA, which can generate webshell payloads and has 20 built-in modules.
  • New Actions covering UNC6876, a suspected Chinese cyber espionage group that deploys the HEAVYMETAL backdoor to compromise victim accounts globally.

For full details on this release, see the Release Notes on the Mandiant Documentation Portal.

Terms & ConditionsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.