VHR20251126 - November 26, 2025
The Mandiant Intelligence Validation Research Team (VRT) has published VHR20251126 - Content Expansion. This content pack requires Director version 4.12.1.0-0 or higher.
If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack from the Mandiant Documentation Portal.
Summary of Changes
- 89 Actions added
- 66 Files added
- 20 Actions retired
- 13 Actions updated
Release Highlights
- New Actions demonstrating Campaign 25-059, used by UNC6322 to deploy SHADOWLADDER.IDAT payloads in multiple compromises of US and French organizations.
- New Actions demonstrating Campaign 25-058, a financially motivated actor UNC6276 campaign compromising ESXi infrastructure and Windows domain environments for ransomware deployment by exploiting CVE-2024-37085 and using SYSTEMBC.
- New Actions for Campaign 25-060 by UNC6394 delivering POUNDFALL via malicious ads and SEO poisoning.
- New Actions demonstrating Campaign 25-063, an unknown threat group UNC6389 campaign that leverages Google Advertisements and ClickFix to deploy CastleBot.
- New Actions covering Campaign 25-065 where UNC6468 delivers the DAYSHROUD backdoor via malvertising to distribute a trojanized calendar application.
- New Actions demonstrating Campaign 25-064, a China-nexus group UNC6428 campaign leveraging hijacked Sogou software to deliver SISNITCH backdoor.
- New Actions demonstrating Campaign 25-073 by UNC6473 distributing malware via social engineering and obfuscated PowerShell.
- New Actions demonstrating Campaign 25-052, a North Korea espionage campaign by UNC6264 that leverages spear-phishing and steganography to deliver the DOGCALL backdoor via PINELINK.
- New Action demonstrating Campaign 25-054, a campaign by UNC6373 that deploys a multi-stage payload using obfuscated PowerShell, including CURLYFENCE.
- New Actions demonstrating Campaign 25-066, a China-nexus espionage campaign by UNC6478 targeting European government and diplomatic sectors via SOGU.SEC backdoor.
- New Actions demonstrating Campaign 25-077, a campaign by UNC6545 distributing NETSUPPORT RAT via PowerShell downloaders.
- New Actions demonstrating Campaign 25-074, a North Korean espionage group UNC6492 campaign that leverages GLOWDISK and EGGJSE droppers to deliver custom malware including OILPEN, LOGICBOLT, and LOGICBURST.
- New Actions demonstrating Campaign 25-057 from suspected Egyptian threat group UNC5937 conducting credential phishing and malware distribution operations against entities across the Middle East and North Africa utilizing RIVERFLOW and SharpC2 malware.
For full details on this release, see the Release Notes on the Mandiant Documentation Portal. (https://docs.mandiant.com)