Skip to main content

VHR20260304 - March 4, 2026

  • March 4, 2026
  • 0 replies
  • 2 views
mikemeeks
Staff
Forum|alt.badge.img+4

The Mandiant Intelligence Validation Research Team (VRT) has published VHR20260304 - Content Expansion. This content pack requires Director version 4.14.1.0-0 or higher.

If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack from the Mandiant Documentation Portal.

Summary of Changes

  • 72 Actions added
  • 30 Files added

Release Highlights

  • New Actions demonstrating Campaign 26-009, a campaign distributing Node.js-based malware via fake trading installers, utilizing a 'Bring Your Own Interpreter' technique and modifying Windows Defender exclusions.
  • New Actions covering Campaign 26-004, a financially motivated actor campaign exploiting CrushFTP to deploy TRIDENT ransomware and leveraging WAVECALLSIRENSONG, and ANYDESK.
  • New Actions demonstrating Campaign 26-008, a TEMP.Hex campaign distributing SOGU via USB flash drives.
  • New Actions demonstrating Campaign 26-007, a China-nexus threat actor campaign targeting SAP infrastructure for persistence and lateral movement, deploying POISONPLUGMICROSHELLPOISONPLUG.SHADOWSQUASHBUG, and VINEBORER.
  • New Actions demonstrating Campaign 26-012, a financially motivated campaign leveraging compromised credentials to deploy AGENDA ransomware and exfiltrate data.
  • New Actions demonstrating Campaign 26-002, a financially motivated UNC6590 campaign deploying XMRIG cryptominer and staging TRUFFLEHOG for credential harvesting on Linux servers.
  • New Actions demonstrating Campaign 26-011, a suspected Iranian espionage group UNC6446 campaign utilizing employment-themed social engineering to distribute RATTLEPULL and SUPERSEDAN malware.
  • A new Action covering Campaign 26-010, describing how UNC2565 resumed distributing GOOTLOADER via SEO poisoning and malicious JScript files.
  • New Actions covering DRYNOTE, a C++ backdoor attributed to UNC6688 that relies on being loaded in memory as raw shellcode.
  • New Actions covering CVE-2025-14847, an Improper Handling of Length Parameter Inconsistency vulnerability (MongoBleed) in MongoDB Server allowing sensitive information disclosure.

For full details on this release, see the Release Notes on the Mandiant Documentation Portal.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.