SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics

In November, a targeted spear-phishing campaign was observed using Trend Micro-themed lures against various industries, but this was quickly detected and thwarted by the Trend Vision One™ platform.

Phishing

SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics

In November, a targeted spear-phishing campaign was observed using Trend Micro-themed lures against various industries, but this was quickly detected and thwarted by the Trend Vision One™ platform.

By: Daniel Lunghi, Ian Kenefick, Feike Hacquebord

Dec 11, 2025

Read time: ( words)

Save to Folio

Special thanks to Stephen Hilt.

Key takeaways

• In November 2025, spear-phishing emails featuring a Trend Micro-themed social engineering lure were sent to various industry verticals – including defense, energy, chemical, cybersecurity (including Trend and a subsidiary), and ICT companies – where a decoy website mimicked Trend’s corporate style.

• The campaign utilized a multi-stage approach, tailoring every stage to the specific target machine and delivering intermediate payloads to a select number of targets.

• We can relate the November 2025 campaign with high confidence to another campaign in October 2025, which used HR complaints and research participation as a social engineering lure.

• Several elements of the campaign align with the intrusion set known as Void Rabisu, associated with a hybrid-motivation actor group aligned with Russian interests. However, until a more definitive link to Void Rabisu is established, the two campaigns will be tracked separately under the temporary intrusion set SHADOW-VOID-042.

• Trend Vision One™ detects and blocks the IoCs discussed in this blog. Trend customers can also access tailored hunting queries, threat insights, and intelligence reports to better understand and proactively defend against this campaign. Trend Vision One stopped the campaign early in the kill chain, minimizing the potential damage. No final payload was observed in Trend’s telemetry.

November 2025 Trend Micro-themed campaign

In October and November 2025, campaigns targeting sectors such as energy, defence, pharmaceuticals, and cybersecurity shared characteristics with older campaigns attributed to Void Rabisu (also known as ROMCOM, Tropical Scorpius, Storm-0978). Void Rabisu is known to be associated with an actor group that has both financial and espionage motivations that are aligned with Russian interests. We are tracking these campaigns under a separate, temporary intrusion set, SHADOW-VOID-042, pending further data to support high-confidence attribution.

In  the November 2025 campaign, Trend Micro itself, a subsidiary, a partner, and other industries were targeted with a Trend-themed social engineering lure. This lure urged users to install a fake update for alleged security issues in Trend Micro Apex One™ (Figure 1). However, the campaign was thwarted early by Trend Vision One™. During lab testing, an old 2018 Chrome exploit was detected, but more recent exploits were likely used during the actual campaign, though they did not appear in Trend’s telemetry due to the early interception by Trend Vision One.

[Figure 1. Example of a spear phishing e-mail with Trend Micro Apex One™ lure]

Figure 1. Example of a spear phishing e-mail with Trend Micro Apex One™ lure

download

The subjects of the e-mails in the November 2025 campaign included:

• Ensure Browser Security: Address Critical Vulnerabilities

• Important: Protect Your Browser Against Recent Zero-Day Vulnerabilities

• Important: TM security advisory and steps to protect your system

• Important: Trend Micro security advisory and steps to protect your system

• Security Advisory — Zero-Day Vulnerabilities Affecting Major Web Browsers

• Security notice — please check TM on your device

• Security notice — please check Trend Micro on your device

• Security notice: Action recommended for Trend Microusers

• Security notice: Action recommended for TMusers

• TM – security update and remediation steps

• Trend Micro – security update and remediation steps

• Vulnerability advisory for Trend Micro — guidance for affected users

• Vulnerability advisory for TM — guidance for affected users

• Vulnerability Disclosure: Browser Zero-Days Impacting Multiple Platforms

• Zero-Day Vulnerabilities Detected in Major Browsers

Targets included executives and upper management in sectors like cybersecurity, energy, IT, and logistics. The targeting was carefully done by the actor, but the campaign was halted early in the infection chain: Trend Vision One detected and quarantined most spear phishing emails and blocked landing pages, preventing exposure to exploits and malware further down the kill chain.

October 2025 campaign

A campaign in October 2025 involving the SHADOW-VOID-042 intrusion set targeted several executives and key human resources (HR) employees belonging to various industries with alleged harassment complaints as a social engineering lure. Other social engineering lures included a request to join academic research or to fill in a questionnaire on a work-related topic.

The HR complaints are hard to ignore by the targets, as legitimate complaints might be sent from whistleblowers who prefer to stay anonymous. That is why HR-related lures and job applications are popular tools for social engineering by malicious actors.

Some of the subject lines are listed below:

• Anonymous Concern About Workplace Environment

• Assistance Needed: Sensitive Workplace Issue – Confidential

• Confidential Concern: Workplace Misconduct and Lack of Resolution

• Confidential Inquiry: Guidance on Reporting Misconduct Safely

• Confidential Report: Ongoing Harassment and Inaction by HR

• Confidential: Escalation of Unresolved Sexual Harassment Complaint

• Confidential: Report of Misconduct and Request for Immediate HR Support

• Follow-Up on Unresolved Harassment Complaint

• Follow-up on Research Survey

• Follow-up on Research Survey – Innovation in Heavy Equipment Design

• Follow-up: CBS Research on Retail Communication and Brand Engagement

• Follow-up: UTN Research on Real-Time Monitoring in Financial Operations

• Formal Complaint: Unresolved Sexual Harassment by Manager

• Harassment Issue

• Invitation Reminder: Seaco’s Input on Container Design and Interoperability Study

• Invitation to Participate – Fintech Monitoring Study

• Invitation to participate in research for a master's thesis

• Join a Short Academic Survey on Workplace Digital Change

• Report of Inappropriate Behavior by Manager

• Request for Your Input in Academic Research on Digital Transformation

• Seeking Employee Perspectives for a Master's Thesis Study

• Serious Misconduct

• Survey Participation Request

• Unresolved Sexual Harassment by Manager

• Urgent: Request for Intervention Regarding Workplace Harassment

This campaign used tailored decoy documents or Google forms like a questionnaire or a specification document of a product for the energy sector. Some of the decoy documents meant only for specific targeted companies are listed below in Figure 2.

[Figure 2. Targeted decoy forms meant for different verticals, IT companies, food industry, and two energy sector suppliers, respectively]

Figure 2. Targeted decoy forms meant for different verticals, IT companies, food industry, and two energy sector suppliers, respectively

download

********

Table 1. Industry verticals targeted (Source: Trend Micro telemetry)

We found that the October 2025 and November 2025 campaigns have a significant overlap in terms of the attackers’ infrastructure, as well as the tactics, techniques, and procedures (TTPs) that were used.

Infection chain stopped early in the November campaign

[...]

Original source