The Mandiant Intelligence Validation Research Team (VRT) has published VHR20250423 - Content Expansion. This content pack requires Director version 4.12.1.0-0 or higher.
If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack from the Mandiant Documentation Portal.
Summary of Changes
- 37 Actions added
- 30 Files added
Release Highlights
- New Actions demonstrating Campaign 24-078, an India-nexus espionage actor UNC1687 campaign leveraging CVE-2017-0199 and C
VE-2023-38831 to target government, defense, and maritime shipping entities in South and East Asia. - New Action demonstrating Campaign 24-079, a campaign leveraging FAKETREFF to deploy and execute the VOLTMARKER downloader along with the NIGHTROPE dropper.
- New Actions demonstrating Campaign 24-080, a suspected China-nexus actor UNC5923 campaign that deploys the SIGSEGA Linux backdoor.
- New Actions demonstrating Campaign 24-081, where UNC5936 exploited vulnerabilities CVE-2024-55956
and CVE-2024-50623 for initial access, deploying GOLDVEIN, GOLDTOMB, and BEACON malware. - New Actions demonstrating Campaign 24-083, a financially motivated campaign distributing CURLYGATE via fake software installers.
- New Actions demonstrating Campaign 24-086, a suspected Iranian-nexus actor UNC5625 campaign that deploys the PINEDROP backdoor to target Middle Eastern technology companies and government entities.
- New Actions demonstrating Campaign 25-002, an actor of unknown motivations using WhatsApp to deliver REMCOS and SHADOWLADDE
R. - New Action demonstrating Campaign 25-003, a suspected Russian-nexus espionage campaign leveraging compromised infrastructure and SSH keys to access sensitive victim data and deploy LOGKEYS.
- New Action demonstrating Campaign 25-005, exploiting CVE-2024-20953 to deploy RMM tools and tunnelers, including LIGOLONG and CLOUDFL
ARED, by threat actor UNC5883. - New Actions demonstrating Campaign 25-008, a financially motivated campaign distributing COILGRAB, COILHAT
CH, ECHODRIFT, and XWORM via fake AI video generator websites, attributed to UNC6032. - New Action demonstrating Campaign 25-009, where an actor of unknown motivation, UNC5904, leverages malicious advertisements to deliver DENSEDROP.
- New Actions demonstrating Campaign 25-010, a financially motivated threat actor UNC5996 campaign leveraging malicious YouTube video descriptions to distribute NETSUPPORT.
- New Action demonstrating Campaign 25-011, a campaign involving the use of fake CAPTCHAs to lure victims into running malicious mshta.exe commands to download and subsequently run CROSSTRICK.
For full details on this release, see the Release Notes on the Mandiant Documentation Portal.
