VHR20260603 - June 3, 2026

The Mandiant Intelligence Validation Research Team (VRT) has published VHR20260603 - Content Expansion. This content pack requires Director version 4.14.1.0-0 or higher.

If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack from the Mandiant Documentation Portal.

Summary of Changes

• 83 Actions added
• 61 Files added
• 7 Actions updated
• 1 Files updated

Release Highlights

• New Actions covering Campaign 26-053, a campaign targeting healthcare and education with obfuscated PowerShell, registry modifications, and discovery via tools such as NLTEST.
• New Actions covering Campaign 26-054, a China-nexus threat actor UNC6863 campaign deploying SLICKDEMON and BADFALL (QUIC RAT) via software supply chain compromise of DAEMON Tools.
• A new Action demonstrating Campaign 26-052, a financially motivated actor UNC6780 campaign poisoning software supply chains to compromise CI/CD environments via DUSTMAKER and SANDCLOCK.
• A new Action demonstrating Campaign 26-055, a campaign by an Actor of Unknown Motivations leveraging ClickFix phishing lures to target multiple organizations, via BLACKWIDOW.
• A new Action covering Campaign 26-058, describing the deployment of the XMRIG cryptocurrency miner via masqueraded PowerShell.
• New Actions demonstrating Campaign 26-057, a campaign involving UNC6847 using FLINTWIRE and ADAPTAGENT for PowerShell-based fileless execution and multiple persistence mechanisms.
• New Actions demonstrating Campaign 26-059, a campaign deploying VIDAR infostealer via NEONSLIDE PowerShell Downloader.
• New Actions demonstrating Campaign 26-060, a financially motivated software supply chain attack by UNC6780 leveraging GitHub Actions cache poisoning and malicious PyPI packages to deploy the FIRESCALE credential stealer.
• New Actions demonstrating Campaign 26-062, an East Europe-Nexus financial gain actor's campaign deploying ETHERRAT and MATANBUCHUS via Trojanized Installer.
• A new Action covering CVE-2026-0300, an Out-of-bounds Write vulnerability in Palo Alto Networks PAN-OS that allows unauthenticated remote code execution and has been exploited in the wild.
• A new Action covering UNC2464, an India-based threat cluster that conducts espionage operations targeting the South Asian government sector and Chinese nuclear research entities.
• A new Action covering financially motivated threat cluster UNC6240, responsible for extortion operations branded under the ShinyHunters name and utilizing SHINYSPIDER.
• A new Action covering UNC6396, a China-nexus threat group suspected of espionage targeting government organizations in Southeast Asia, observed deploying SHYROOSTER and TACKYPASTA.
• New Actions covering UNC3569, a suspected China-nexus cyber actor of unknown motivation, reportedly deploying ransomware and using various malware.
• New Actions describing Campaign 26-056, a financially motivated UNC6801 campaign delivering REMCOS via multi-stage loaders.
• New Actions demonstrating Campaign 26-036, a supply chain campaign by UNC6780 targeting cloud credential theft and exfiltration via compromised Trivy and LiteLLM software.

For full details on this release, see the Release Notes on the Mandiant Documentation Portal.