The Mandiant Intelligence Validation Research Team (VRT) has published VHR20260204 - Content Expansion. This content pack requires Director version 4.14.1.0-0 or higher.
If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack from the Mandiant Documentation Portal.
Summary of Changes
- 50 Actions added
- 30 Files added
Release Highlights
- New Actions demonstrating Campaign 25-082, a suspected Iranian espionage threat actor UNC1549 campaign leveraging TWOSTROKE malware against organizations in Azerbaijan and Turkey.
- New Actions detailing Campaign 25-080, a campaign by UNC6560 that leverages CVE-2025-59287 for payload delivery and persistence of POISONPLUG.SHADOW.
- New Actions covering Campaign 25-081, a campaign by UNC6553 leveraging SURFCAKE to gain initial access and deliver additional malware.
- New Actions demonstrating Campaign 25-085, a campaign by financially motivated actors exploiting CVE-2025-55182 to deploy XMRIG cryptominers.
- A new Action demonstrating Campaign 25-072, a financially motivated actor UNC6357 campaign leveraging Microsoft SharePoint vulnerabilities and deploying LOCKBIT ransomware.
- New Actions demonstrating Campaign 26-001, a campaign by financially motivated actor UNC6602 exploiting CVE-2025-55182 and deploying HOTTEA malware to hijack Nginx for malicious redirects.
- New Actions demonstrating Campaign 25-088, an unknown threat actor UNC6599 campaign targeting MacOS systems via ATOMICPROMPT.
For full details on this release, see the Release Notes on the Mandiant Documentation Portal.