The Mandiant Intelligence Validation Research Team (VRT) has published VHR20250724 - Content Expansion. This content pack requires Director version 4.12.1.0-0 or higher.

If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack from the Mandiant Documentation Portal.

Summary of Changes

• 39 Actions added
• 37 Files added
• 35 Actions updated
• 11 Files updated

Release Highlights

• New Action demonstrating CVE-2025-53770, an Improper Limitation of a Pathname to a Restricted Directory vulnerability in Microsoft SharePoint Server that allows remote code execution and has been exploited in the wild by UNC6337.
• New Actions demonstrating Campaign 25-027, an APT36 campaign targeting Indian government and defense sectors via the SEEDOOR backdoor.
• New Actions demonstrating activity by UNC3313, an Iran-nexus cyber espionage group targeting Middle Eastern government, telecommunications, and technology entities.
• New Actions demonstrating activity by UNC5187, a suspected Iranian cyber espionage group with moderate-confidence ties to APT34.
• New Actions demonstrating activity by UNC5203, a threat actor that has deployed COOLWIPE wiper malware against Israeli organizations.
• New Actions demonstrating activity by UNC5665, an Iran-affiliated threat group that targeted entities in Iraq using the CACTUSPAL custom backdoor.
• New Actions demonstrating MURKYTOUR, a C++ backdoor with data exfiltration and code execution capabilities, associated with UNC2428.
• New Actions demonstrating JELLYBEAN, a rudimentary C-based backdoor used by Iranian actors TEMP.Zagros and UNC3313.
• New Action demonstrating DODGYLAFFA, a .NET-based passive backdoor deployed by APT34.
• New Actions demonstrating LONEFLEET, a .NET installer malware that drops additional backdoors, associated with UNC2428.

For full details on this release, see the Release Notes on the Mandiant Documentation Portal.