SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics
Trend Micro researchers have identified a new threat actor, SHADOW-VOID-042, using spear-phishing campaigns with social engineering lures that closely resemble the tactics of the Russian-aligned Void Rabisu group.
In November 2025, Trend Micro researchers detected a targeted spear-phishing campaign that leveraged Trend Micro-themed lures to target multiple industry verticals, including defense, energy, chemical, cybersecurity, and ICT companies. The campaign, attributed to a newly tracked intrusion set named SHADOW-VOID-042, was quickly thwarted by the Trend Vision One platform, which blocked the emails and landing pages early in the kill chain. No final payload was observed in Trend's telemetry, but the campaign's sophistication and multi-stage approach raised significant concerns.
The SHADOW-VOID-042 campaign employed a multi-stage attack chain, tailoring each stage to the specific target machine and delivering intermediate payloads only to a select number of targets. The social engineering lure urged users to install a fake update for alleged security issues in Trend Micro Apex One, with email subjects such as "Ensure Browser Security: Address Critical Vulnerabilities" and "Security notice — please check Trend Micro on your device." During lab testing, an old 2018 Chrome exploit was detected, but researchers believe more recent exploits were likely used in the actual campaign.
Trend Micro researchers also linked the November 2025 campaign with high confidence to an earlier campaign in October 2025, which used HR complaints and research participation as social engineering lures. The October campaign targeted executives and HR employees with subjects like "Confidential Report: Ongoing Harassment and Inaction by HR" and "Follow-up on Research Survey – Innovation in Heavy Equipment Design." These lures are particularly effective because HR complaints are hard for targets to ignore, as legitimate complaints may come from anonymous whistleblowers.
Several elements of the SHADOW-VOID-042 campaign align with the intrusion set known as Void Rabisu (also tracked as ROMCOM, Tropical Scorpius, Storm-0978), a hybrid-motivation actor group aligned with Russian interests. Void Rabisu is known for both financial and espionage motivations. However, until a more definitive link is established, Trend Micro is tracking these campaigns separately under the temporary intrusion set SHADOW-VOID-042.
The targets of the November campaign included executives and upper management in sectors like cybersecurity, energy, IT, and logistics. The targeting was carefully executed, but Trend Vision One detected and quarantined most spear-phishing emails and blocked landing pages, preventing exposure to exploits and malware further down the kill chain. Trend Micro customers can access tailored hunting queries, threat insights, and intelligence reports to better defend against this campaign.
The emergence of SHADOW-VOID-042 highlights the ongoing threat from sophisticated, multi-stage phishing campaigns that mimic trusted brands and exploit human psychology. The use of HR-related lures and fake security updates demonstrates the evolving tactics of threat actors aligned with state interests. Organizations are advised to implement robust email security solutions, conduct regular security awareness training, and deploy advanced threat detection platforms to defend against such targeted attacks.