The Mandiant Intelligence Validation Research Team (VRT) has published VHR20250521 - Content Expansion. This content pack requires Director version 4.12.1.0-0 or higher.

If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack from the Mandiant Documentation Portal.

Summary of Changes

• 22 Actions added


• 19 Files added


• 977 Actions updated

Release Highlights

• New Actions related to the Actors, Malware, and Vulnerabilities in the M-Trends 2025 Report. The M-Trends 2025 Report provides trends analysis, metrics, and learnings drawn from the frontlines of Mandiant incident response investigations and threat intelligence findings between January 1, 2024 - December 31, 2024.


• New Actions demonstrating Campaign 23-022, a suspected Chinese espionage campaign targeting US-based organizations in the defense, technology, and telecommunications sectors.


• New Action demonstrating Campaign 24-003, a financially motivated campaign leveraging a compromised X account to distribute the CLINKSINK drainer.


• New Actions demonstrating Campaign 24-024, a financially motivated campaign by UNC2165 leveraging UNC1543 distribution channels and FAKEUPDATES to deliver COLORFAKE.V2 and MYTHIC payloads.


• New Actions demonstrating Campaign 25-012, an actor of unknown motivations targeting Brazilian users via Whatsapp and phishing emails.


• New Actions demonstrating Campaign 25-013, a phishing campaign distributing HAVOCDEMON by UNC6095.


• New Actions demonstrating Campaign 25-014, where an actor of unknown motivations uses fake CAPTCHAs to distribute LUMMAC.V2.


• New Action demonstrating Campaign 25-015, where an actor of unknown motivations, UNC6089, uses fake reCAPTCHA pages to distribute SHADOWLADDER.IDAT.


• New Actions demonstrating ANTSWORD, a malicious JSP backdoor used by APT41.

For full details on this release, see the Release Notes on the Mandiant Documentation Portal.