The Mandiant Intelligence Validation Research Team (VRT) has published VHR20251015 - Content Expansion. This content pack requires Director version 4.12.1.0-0 or higher.
If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack from the Mandiant Documentation Portal.
Summary of Changes
- 54 Actions added
- 41 Files added
- 2 Actions updated
- 37 Files updated
Release Highlights
- New Actions covering BRICKSTORM, a backdoor used by UNC5221 and UNC6201 that can act as a web server, manipulate files, and run shell commands.
- New Actions detailing Campaign 25-051, in which financially motivated actor UNC6361 compromises SonicWall devices to deploy REDBIKE ransomware.
- New Actions demonstrating Campaign 25-056, a Chinese state-sponsored actor UNC6320 campaign leveraging VSPYTUNNEL.
- New Actions demonstrating Campaign 25-050, a campaign by financially motivated actors UNC6286 and UNC6016 leveraging malvertising to distribute trojanized software and the DISCBURST backdoor.
- New Actions demonstrating Campaign 25-055, an Iranian espionage group UNC4444 campaign stealing credentials and deploying new malware (NOTESTORY, MOONPLAY, and MOONSNAKE) via compromised Israeli websites.
For full details on this release, see the Release Notes on the Mandiant Documentation Portal.