VHR20260506 - May 6, 2026

The Mandiant Intelligence Validation Research Team (VRT) has published VHR20260506 - Content Expansion. This content pack requires Director version 4.14.1.0-0 or higher.

If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack from the Mandiant Documentation Portal.

Summary of Changes

• 273 Actions added
• 111 Files added
• 4 Actions retired

Release Highlights

• New Actions demonstrating Campaign 26-018, exploiting CVE-2026-20127 and CVE-2022-20775 in Cisco Catalyst SD-WAN devices.
• New Actions covering Campaign 26-020, which involves a threat actor deploying WINDSTRIKE malware via trojanized software to establish persistence and evade defenses.
• New Actions demonstrating Campaign 26-023, a campaign by UNC6740 deploying DINODANCE malware using trojanized installers and Deno Runtime for in-memory execution.
• New Actions demonstrating Campaign 26-028, a campaign by APT42 using phishing kits with fake media lures for credential harvesting and deploying TAMECAT and POWERPUG malware.
• New Actions demonstrating Campaign 26-015, a campaign involving actor UNC6674 leveraging Windows batch scripts to deliver a shellcode injector tool, including VALLEYRAT.
• New Actions demonstrating Campaign 26-029, a campaign by UNC3313 and UNC5667 targeting multiple industry verticals globally with custom backdoors and legitimate remote access tools.
• New Actions demonstrating Campaign 26-032, a financially motivated campaign by UNC6769 using MSHTA and obfuscated PowerShell to deploy AMATERASTEALER.
• A new Action covering Campaign 26-024, a suspected Iranian threat group UNC6729 campaign targeting Israeli citizens with PANICPOACH Android Malware.
• A new Action covering Campaign 26-034, a campaign exploiting CVE-2026-1281 and CVE-2026-1340 in Ivanti EPMM for initial access by a threat actor of unknown motivations.
• A new Action covering Campaign 26-035, concerning an unknown actor leveraging CVE-2026-1731 for initial access via BeyondTrust's Remote Support software.
• New Actions demonstrating Campaign 26-041, a suspected DPRK threat actor campaign leveraging malicious GitHub repositories to deliver BEAVERTAIL.
• New Actions covering Campaign 26-039 by UNC6765, an actor of unknown motivations, leveraging social engineering, living-off-the-land tools such as ANYDESK and CURL, and SSH reverse tunnels for persistence and execution.
• A new Action demonstrating Campaign 26-043, a financial gain actor UNC6767 campaign leveraging CVE-2025-55182 and deploying NETSUPPORT.
• New Actions demonstrating Campaign 26-047 where an actor of unknown motivations exploits CVE-2026-1731 to deploy SPARKRAT.
• New Actions covering Campaign 26-042, a North Korea-nexus actor UNC1069 supply chain attack deploying SILKBELL and WAVESHAPER backdoor variants.
• A new Action covers Campaign 26-026 by UNC6724 leveraging CLICKFIX for initial access, followed by MSHTA commands and PowerShell for payload delivery, including BEACON.
• New Actions demonstrating Campaign 26-050, an unknown threat group UNC6781 campaign targeting US Universities with trojanized NSIS installers, hidden Python environments, and NETSUPPORT RAT deployments.
• A new Action demonstrating Campaign 26-049, a Brazil-nexus threat group UNC5669 campaign executing multi-vector breaches and deploying XWORM.
• New Actions demonstrating Campaign 26-051, a suspected espionage threat group UNC6723 weaponizing RCLONE to exfil sensitive docs and Telegram data to Mega accounts.
• A new Action covering CVE-2026-34621, an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that allows a remote attacker to execute arbitrary code.
• A new Action covering Campaign 26-037, a campaign by UNC6760 distributing the TIREPATCH downloader via FAKETREFF and ClickFix infection vectors.

For full details on this release, see the Release Notes on the Mandiant Documentation Portal.