Threat Profile: SHADOW-VOID-042

SHADOW-VOID-042 is a temporary intrusion set identified by Trend Micro in December 2025. This group exhibits significant operational overlaps with Void Rabisu (also known as ROMCOM, Tropical Scorpius, and Storm-0978), a hybrid threat actor known for conducting both financially motivated ransomware attacks and espionage operations aligned with Russian state interests.

While attribution is currently being treated as distinct pending definitive evidence, the tactical similarities—specifically in social engineering lures and target selection—suggest SHADOW-VOID-042 is likely a sub-cluster or a specific operation within the broader Void Rabisu nexus.

Victimology

The group has demonstrated a highly targeted focus on critical industries, moving beyond broad-brush attacks to specific vertical espionage.

• Primary Sectors:
  • Defense: Entities involved in national security and military supply chains.
  • Energy: Critical infrastructure providers.
  • Chemical: Industrial manufacturing and processing.
  • Cybersecurity: High-value targeting of security vendors (including Trend Micro and its subsidiaries) to potentially facilitate supply chain compromise.
  • ICT: Information and Communication Technology providers.
  • Pharmaceuticals: Research and development organizations.
• Geographic Focus: While specific countries were not exhaustively listed, the sector profile aligns with Void Rabisu’s historic targeting of NATO member states and Ukraine-allied nations.

Tactics, Techniques, and Procedures (TTPs)

1. Initial Access: Spear-Phishing

The primary entry vector is highly tailored spear-phishing campaigns utilizing sophisticated social engineering lures designed to induce urgency or trust.

• Campaign A (October 2025): The group utilized administrative lures, specifically posing as HR departments issuing complaints or requests for research participation.
• Campaign B (November 2025): A more aggressive campaign utilized Vendor Impersonation. The actors sent emails masquerading as the cybersecurity firm Trend Micro, urging targets to install a “critical security update” for the Trend Micro Apex One™ endpoint protection platform.

2. Infrastructure & Delivery

• Decoy Websites: SHADOW-VOID-042 constructs high-fidelity decoy sites that mimic the corporate branding and style of the impersonated vendor (e.g., a fake Trend Micro download portal).
• Multi-Stage Payload Delivery: The attack chain is not monolithic. It employs a multi-stage delivery mechanism where the final payload is only delivered after the attackers validate the target machine’s environment. This “gating” technique helps evade automated sandboxes and analysis systems.
• Exploitation: Lab analysis of the attack chain revealed traces of a 2018 Chrome exploit. However, analysts assess with high confidence that in active campaigns, the group likely swaps this for more recent exploits to achieve code execution on patched systems.

3. Payload & Objectives

• Intermediate Payloads: The group delivers intermediate loaders to select targets to maintain persistence and profile the network.
• Link to Void Rabisu: While the specific final payload in the November campaign was often blocked early in the kill chain, the TTPs strongly align with the deployment of the ROMCOM Backdoor (or variants like Peapod), which allows for remote command execution and data exfiltration.

Indicators of Compromise (IOCs)

Analysts should hunt for the following artifacts and behaviors associated with SHADOW-VOID-042 activity:

File Indicators

• Malicious Installers: Executables posing as security updates, specifically naming “Apex One” or other enterprise security products.
• Filenames: Look for variations of TrendMicro_Security_Update.exe, ApexOne_Patch.exe, or HR-related document names like Complaint_Form.pdf.exe.

Network Indicators

• Decoy Domains: Domains utilizing “typosquatting” or keywords related to security vendors (e.g., update-trendmicro-support[.]com or similar structures).
• Traffic Patterns: Outbound connections to unknown IPs immediately following the execution of a “security update” installer.

Behavioral Indicators

• Process Execution: A browser or unexpected binary spawning from a PDF reader or Office application.
• System Modification: Attempts to modify browser security settings or disable real-time monitoring services (ironically, often done by the fake “security update” installer).