SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics
Summary:
Campaigns observed in October and November 2025, tracked under the temporary intrusion set SHADOW-VOID-042, targeted several high-value sectors, including energy, defense, pharmaceuticals, and cybersecurity, according to Trend Micro. These activities display significant infrastructure, and TTP overlap with previously documented campaigns attributed to the Void Rabisu (ROMCOM) intrusion set, a group with financial and espionage motivations aligned with Russian interests.
The November 2025 campaign utilized spear-phishing emails with a Trend Micro-themed social engineering lure, urging executives and upper management in sectors like cybersecurity, IT, energy, and logistics to install a fake security update for Trend Micro Apex One. The campaign was detected and prevented by Trend Micro. This early interception prevented the observation of the final payload, though an old 2018 Chrome exploit was detected in lab testing, but more recent exploits were likely used in the actual campaign; however the early interception led to them not appearing in their telemetry.
The October 2025 campaign also used spear-phishing, targeting executives and HR employees with socially engineered lures such as alleged HR harassment complaints or requests to join questionnaires. The HR complaints were particularly effective due to their urgent nature. The two campaigns remain tracked separately until more definitive data allows for merging the intrusion sets. Trend Vision One successfully stopped both campaigns early in the infection chain, which prevented the deployment of a final payload.
Security Officer Comments:
While the SHADOW-VOID-042 campaigns share certain characteristics (infrastructure, TTPs, and targeting) with Void Rabisu, including its evolution from financially-motivated ransomware deployment (Cuba ransomware) to more targeted espionage attacks (often using the ROMCOM backdoor and zero-day exploits) against Ukraine and its allies since 2022, there’s not enough evidence for a high-confidence attribution. The tactical use of highly effective, tailored social engineering lures, particularly the Trend-themed fake update and sensitive HR complaints, highlights a disciplined targeting methodology against executives and key employees in critical infrastructure and defense-related sectors. Although attribution remains at a low-confidence level, it’s advised that organizations treat this threat as an evolving, top-tier APT utilizing TTPs historically associated with Void Rabisu.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
Link(s):
https://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html
Campaigns observed in October and November 2025, tracked under the temporary intrusion set SHADOW-VOID-042, targeted several high-value sectors, including energy, defense, pharmaceuticals, and cybersecurity, according to Trend Micro. These activities display significant infrastructure, and TTP overlap with previously documented campaigns attributed to the Void Rabisu (ROMCOM) intrusion set, a group with financial and espionage motivations aligned with Russian interests.
The November 2025 campaign utilized spear-phishing emails with a Trend Micro-themed social engineering lure, urging executives and upper management in sectors like cybersecurity, IT, energy, and logistics to install a fake security update for Trend Micro Apex One. The campaign was detected and prevented by Trend Micro. This early interception prevented the observation of the final payload, though an old 2018 Chrome exploit was detected in lab testing, but more recent exploits were likely used in the actual campaign; however the early interception led to them not appearing in their telemetry.
The October 2025 campaign also used spear-phishing, targeting executives and HR employees with socially engineered lures such as alleged HR harassment complaints or requests to join questionnaires. The HR complaints were particularly effective due to their urgent nature. The two campaigns remain tracked separately until more definitive data allows for merging the intrusion sets. Trend Vision One successfully stopped both campaigns early in the infection chain, which prevented the deployment of a final payload.
Security Officer Comments:
While the SHADOW-VOID-042 campaigns share certain characteristics (infrastructure, TTPs, and targeting) with Void Rabisu, including its evolution from financially-motivated ransomware deployment (Cuba ransomware) to more targeted espionage attacks (often using the ROMCOM backdoor and zero-day exploits) against Ukraine and its allies since 2022, there’s not enough evidence for a high-confidence attribution. The tactical use of highly effective, tailored social engineering lures, particularly the Trend-themed fake update and sensitive HR complaints, highlights a disciplined targeting methodology against executives and key employees in critical infrastructure and defense-related sectors. Although attribution remains at a low-confidence level, it’s advised that organizations treat this threat as an evolving, top-tier APT utilizing TTPs historically associated with Void Rabisu.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
Link(s):
https://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html