The Mandiant Intelligence VRT is pleased to announce the availability of a new Headline Release - VHR20250724 Email not displaying correctly?
View online version.
Mandiant, now part of GoogleCloud logo

VHR20250724 - July 24, 2025

The Mandiant Intelligence Validation Research Team (VRT) has published VHR20250724 - Content Expansion. This content pack requires Director version 4.12.1.0-0 or higher.

If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack from the Mandiant Documentation Portal.

Summary of Changes

  • 39 Actions added
  • 37 Files added
  • 35 Actions updated
  • 11 Files updated

Release Highlights

  • New Action demonstrating CVE-2025-53770, an Improper Limitation of a Pathname to a Restricted Directory vulnerability in Microsoft SharePoint Server that allows remote code execution and has been exploited in the wild by UNC6337.
  • New Actions demonstrating Campaign 25-027, an APT36 campaign targeting Indian government and defense sectors via the SEEDOOR backdoor.
  • New Actions demonstrating activity by UNC3313, an Iran-nexus cyber espionage group targeting Middle Eastern government, telecommunications, and technology entities.
  • New Actions demonstrating activity by UNC5187, a suspected Iranian cyber espionage group with moderate-confidence ties to APT34.
  • New Actions demonstrating activity by UNC5203, a threat actor that has deployed COOLWIPE wiper malware against Israeli organizations.
  • New Actions demonstrating activity by UNC5665, an Iran-affiliated threat group that targeted entities in Iraq using the CACTUSPAL custom backdoor.
  • New Actions demonstrating MURKYTOUR, a C++ backdoor with data exfiltration and code execution capabilities, associated with UNC2428.
  • New Actions demonstrating JELLYBEAN, a rudimentary C-based backdoor used by Iranian actors TEMP.Zagros and UNC3313.
  • New Action demonstrating DODGYLAFFA, a .NET-based passive backdoor deployed by APT34.
  • New Actions demonstrating LONEFLEET, a .NET installer malware that drops additional backdoors, associated with UNC2428.

For full details on this release, see the Release Notes on the Mandiant Documentation Portal.

Mandiant Intelligence VRT
11951 Freedom Drive, 6th Floor
Reston, VA 20190
www.mandiant.com/advantage/security-validation

The information about the Product(s) and/or Services (collectively, "Products") referred to herein and the distribution list to which this document is attached (the "Notice") constitute Mandiant confidential information. This Notice is provided for the sole use of Mandiant, its authorized channel partners and end-users, and other intended recipients. This Notice does not change any contract with Mandiant and is subject to the applicable purchase/confidentiality terms of the contract(s) between each recipient and Mandiant. Although Mandiant is attempting to provide accurate and up-to-date information about the Product(s), the information is subject to change and Mandiant may update or modify this Notice in its sole discretion

Recipients may not disclose or redistribute this Notice or any part of it to any third party without Mandiant's prior written consent. Any reference to non-Mandiant products/services is for informational purposes only and does not constitute an endorsement/recommendation unless explicitly stated.

©2023 Mandiant, Inc. All rights reserved. Mandiant is a registered trademark of Mandiant, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. You are receiving this email because you are a customer or partner of Mandiant, and we are processing your personal data for the performance of a contract.

Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043
Unsubscribe here. You will not receive future product or content updates. Forwarded this email? Join this mailing list.