VHR20250625 - June 25, 2025

The Mandiant Intelligence Validation Research Team (VRT) has published VHR20250625 - Content Expansion. This content pack requires Director version 4.12.1.0-0 or higher.

If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack from the Mandiant Documentation Portal.

Summary of Changes

• 25 Actions added


• 16 Files added


• 57 Actions updated

Release Highlights

• New Actions related to Campaign 25-004, a phishing campaign targeting Chrome extension developers conducted by UNC5978.


• New Actions demonstrating Campaign 25-017, a financially motivated threat actor UNC2465 campaign that uses malvertising to deploy PASTAPUNCH and SMOKEDHAM, sometimes leading to LOCKBIT ransomware.


• New Action demonstrating Campaign 25-019, a financially motivated actor UNC6138 campaign that deploys HAVOCDEMON and BEACON to target multiple industries.


• New Actions demonstrating Campaign 25-020, a suspected Russian espionage cluster UNC6139 campaign targeting government and defense entities in southeastern Europe via BLUEHARVEST.


• New Actions demonstrating Campaign 25-024, an actor of unknown motivations leveraging a fake PDF converter site to deliver BADREAD malware.


• New Actions demonstrating Campaign 25-025,a campaign targeting Ukrainian organizations to harvest credentials via phishing emails.


• New Actions demonstrating Campaign 25-026, an India-nexus actor UNC1687 campaign targeting South Asian government organizations via the ICECREAM backdoor and exploiting CVE-2017-11882.

For full details on this release, see the Release Notes on the Mandiant Documentation Portal.