SHADOW-VOID-042
SHADOW-VOID-042 is a temporary intrusion set designation used to track a highly targeted spear-phishing campaign observed in November 2025 that impersonated Trend Micro branding and messaging. The campaign targeted organizations in critical infrastructure-related sectors including defense, energy, and chemicals, and also attempted to infiltrate Trend Micro and its subsidiaries. Lures included urgent, fake security advisories (e.g., a purported vulnerability in Trend Micro Apex One Web Reputation Service) that directed victims to a Trend Micro-mimicking decoy site branded as “TDMSEC.” The infection chain included redirection via a fake Cloudflare browser-check page and delivery of JavaScript-based exploits; one recovered exploit targeted CVE-2018-6065 (Chrome, 2018). Reporting indicates a multi-stage approach with payloads tailored per victim, and researchers assessed that more recent zero-day exploits may have been selectively used against high-value targets, though this was not confirmed. Trend Micro linked the November 2025 activity with high confidence to an October 2025 operation using HR/executive-focused lures (e.g., fake workplace harassment and academic research complaints). The activity shows significant tactical and infrastructure overlap with Void Rabisu (also associated with ROMCOM / Storm-0978), described as Russian-aligned, but a definitive attribution/link was not established due to early disruption and lack of final payload observation (no ROMCOM backdoor was seen in telemetry).
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
SHADOW-VOID-042 is responsible for a spear-phishing campaign using Trend Micro-themed lures, exploiting a Chrome vulnerability and delivering multi-stage payloads, with overlaps to RomCom/Void Rabisu activity.
SHADOW-VOID-042 conducted a sophisticated spear-phishing campaign impersonating Trend Micro to breach defense, energy, and chemical organizations, as well as Trend Micro itself. The campaign used tailored phishing emails and decoy websites, leveraging both old and likely new browser exploits, and is linked to previous operations using different social engineering lures.
Temporary intrusion set designation for campaigns using Trend Micro-themed spear-phishing/decoy sites and multi-stage tailored delivery; suspected (but unconfirmed) linkage to Void Rabisu.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.