| SYMBOL | COMMON_NAME | aka. SYNONYMS |
SHADOW-VOID-042 is a provisional intrusion set tracked by Trend Micro, active in October-November 2025, conducting spear-phishing campaigns against energy, defense, pharmaceutical, cybersecurity, and other sectors using lures like HR complaints, research surveys, and fake Trend Micro security updates urging browser fixes. Attacks employ multi-stage loaders: shellcode generates machine-specific IDs for C2 "get_module_hello" requests fetching encrypted Stage 2 (SystemProcessHost.exe) with scheduled tasks for persistence, followed by Stage 3 fetching additional payloads via API hashing and retries on hardcoded C2s. Infrastructure overlaps with Void Rabisu (ROMCOM/Storm-0978), but lacks confirmed ROMCOM deployment or Ukraine focus, warranting separate tracking.
There are currently no families associated with this actor.
| 2025-12-11
⋅
Trend Micro
⋅
SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics ROMCOM RAT SHADOW-VOID-042 |