SHADOW-VOID-042 Impersonates Trend Micro in Phishing Campaign to Breach Critical Infrastructure
Ddos 
A sophisticated threat group turned a cybersecurity giant’s reputation against itself, launching a targeted spear-phishing campaign that impersonated Trend Micro to breach defense, energy, and chemical organizations. A new report from Trend Micro reveals that in November 2025, the group tracked as SHADOW-VOID-042 not only targeted critical infrastructure but also attempted to infiltrate Trend Micro and its subsidiaries using the vendor’s own branding as a lure.
The campaign relied on a classic but effective ruse: the urgent security advisory. Targets received emails with subject lines like “Important: TM security advisory and steps to protect your system,” urging them to address a non-existent vulnerability.
The phishing emails claimed, “We’ve uncovered a security vulnerability in some versions of the Trend Micro Apex One Web Reputation Service module, which might currently be installed on your computer”. Victims were directed to a decoy website designed to mimic Trend Micro’s corporate style, hosted under the deceptive banner of “TDMSEC”.
This wasn’t a “spray and pray” operation. The researchers noted that “the campaign utilized a multi-stage approach, tailoring every stage to the specific target machine and delivering intermediate payloads to a select number of targets”.
This wave of attacks appears to be the second phase of a broader operation. Trend Micro researchers linked the November activity with high confidence to an October 2025 campaign that leveraged entirely different emotional triggers: workplace harassment and academic research.
In the October wave, executives and Human Resources employees were targeted with subject lines such as “Confidential: Escalation of Unresolved Sexual Harassment Complaint” and “Report of Inappropriate Behavior by Manager”. “The HR complaints are hard to ignore by the targets, as legitimate complaints might be sent from whistleblowers who prefer to stay anonymous,” the report explains.
While the group is currently tracked under the temporary moniker SHADOW-VOID-042, signs point to a familiar adversary. The tactics overlap significantly with Void Rabisu (also known as ROMCOM or Storm-0978), a hybrid threat group known for blending cybercrime with espionage aligned with Russian interests.
“Several elements of the campaign align with the intrusion set known as Void Rabisu,” the researchers observed. However, a definitive link remains elusive because the attacks were stopped early. “No final payload was observed in Trend’s telemetry,” preventing analysts from seeing if the group intended to deploy the signature ROMCOM backdoor typically associated with Void Rabisu.
The attack chain demonstrated a mix of old and new tradecraft. Victims clicking the malicious links were redirected through a landing page impersonating Cloudflare to check their browser security. Behind the scenes, the attackers deployed JavaScript exploits.
Interestingly, one recovered exploit targeted CVE-2018-6065, a years-old Chrome vulnerability. “During lab testing, an old 2018 Chrome exploit was detected, but more recent exploits were likely used during the actual campaign,” the report suggests. This implies the attackers may have been selectively deploying newer, more valuable zero-days only against high-value targets to avoid burning them.
Donate