Sign In
SHADOW-VOID-042 Campaign Uses Deceptive Update Lures in Targeted Global Espionage
Back to top
January 8, 2026
Anatomy of an Attack:
SHADOW-VOID-042 Campaign Uses Deceptive Update Lures in Targeted Global Espionage
Executive Summary
In December 2025, security researchers at Trend Micro published detailed intelligence identifying an active, highly targeted espionage campaign tracked as SHADOW-VOID-042. This operation shows significant technical overlap with Void Rabisu, a threat actor aligned with Russian interests. Void Rabisu conducts both financial cybercrime and intelligence collection via cyber espionage. The group is notable because it evolved from a financially motivated cybercrime operation, originally linked to the Cuba ransomware, into a primary espionage threat actor focused on targeting Ukraine and NATO allies since 2022.
These are the other names in use for Void Rabisu:
| Threat Group/Intrusion Set Name | Naming Vendor |
|---|---|
| Shadow Void 042 (a tracking name) | Trend Micro |
| Void Rabisu | Trend Micro |
| ROMCOM | Generally used for the malware |
| Storm-0978 | Microsoft |
| Tropical Scorpius | Palo Alto Networks Unit 42 |
| UNC2596 | Mandiant (also MITRE ATT&CK Framework) |
| GOLD FLAMINGO | Secureworks |
| UAC-0180 | Defense Cyber Crime Center (DC3) / CERT-UA (UAC-0132 is also seen) |
| Nebulous Mantis | DC3 |
| TA829 | Proofpoint |
This group continuously leverages zero-day and N-day vulnerabilities, such as the WinRAR zero-day (CVE-2025-8088) in mid-2025, to compromise high-value targets globally. The threat actor maintains a calculated, dual-purpose approach, focusing on long-term intelligence collection alongside opportunistic financial gain. Their victimology spans government, defense, and private sector organizations across multiple regions, including Ukraine and NATO-aligned nations.
The calculated nature of the threat became apparent in late 2025 when Trend Micro, the source of the core threat intelligence, disclosed the threat actor specifically compromised a Trend Micro subsidiary and partner using an email lure for a fake Apex One™ security update. This precise targeting of the cybersecurity supply chain confirms the threat actor possesses high-level targeting capabilities, aiming to compromise strategic defense entities and disrupt global defense capabilities [Source: Trend Micro Research, November 2025].
The full scope of known targets is detailed below:
| Sector | Region | Attacker Action | Disclosed Targets/Victims | Source & Date |
|---|---|---|---|---|
| Technology/Cybersecurity | Global (Non-Ukraine) | Spear-phishing with fake update lure. | Trend Micro (the security vendor itself, a subsidiary, and a partner). | Trend Micro, November 2025 |
| Critical Infrastructure | Ukraine | Targeting Energy, Water, and Financial entities. | An unnamed Water Utility Company, Energy Sector Entities. | Trend Micro, May 2023 |
| Defense & Military | Europe / North America | Spear-phishing using NATO/political lures; zero-day exploitation. | A European Defense Company and multiple defense entities. | Trend Micro / Microsoft, 2023-2025 |
| Logistics/Manufacturing | Europe / Canada | Exploiting WinRAR zero-day (CVE-2025-8088) with job application lures. | Unnamed Financial, Manufacturing, and Logistics organizations. | ESET / Picus Security, August 2025 |
| Government/ICT | Europe / US | Targeting government leaders and IT service providers. | A European Parliament Member, various IT service providers in Europe and the US. | Trend Micro, May 2023 |
Shadow-Void-042’s Tactics, Techniques, and Procedures (TTPs)
The SHADOW-VOID-042 campaign follows a kill chain focused on stealth and persistence:
Initial Access & Deception
The campaign begins with personalized spear-phishing messages (T1566.001). These are highly credible lures, notably impersonating legitimate software updates (such as a fake Trend Micro update) or sensitive internal documents like HR harassment complaints. Once a victim clicks the link, they are redirected through an evasion chain to a decoy website (T1566.002) crafted to impersonate Trend Micro’s corporate branding. The attackers used lookalike domains, such as “https://www.google[.]com/search?q=tdmsec[.]com”, to host the decoy and ensure the victim downloads the initial malicious JavaScript payload.
Defense Evasion and Execution
For defense evasion, the attacker's shellcode utilizes API hashing to obfuscate critical Windows API calls (T1027.004). The infection chain demonstrates opportunistic exploitation, attempting to leverage both older, known vulnerabilities and suspected zero-day flaws to execute code on the victim's host (T1203) and subsequently drop an encrypted, second-stage binary (T1071.001).
Persistence and Covert Communication
The attacker establishes persistence by creating a Windows Scheduled Task (T1053.005) to ensure long-term access. This task executes the second-stage payload at every boot with SYSTEM privileges from the path C:\ProgramData\Microsoft\Windows\SystemProcessHost.exe. The attacker communicates over HTTPS for Command and Control (C2) and embeds a specific string, "get_module_hello," in the network traffic (T1071.001). The presence of this identifier within encrypted traffic serves as a high-fidelity signature for this campaign.
The SHADOW-VOID-042 campaign serves as an example of the escalating use of encryption in cyberattacks, with current data showing that 87% of threats are delivered over encrypted channels. Defending against this requires overcoming the limitations of traditional host and log-based tools with modern NDR.
Hunting for SHADOW-VOID-042 with NDR
The SHADOW-VOID-042 campaign illustrates the necessity of network visibility alongside host-based defenses. Network-level analysis provides a layer for detecting exploitation and encrypted C2 behavior that occurs between and beyond individual hosts. NDR identifies these TTPs by analyzing traffic patterns and decrypting critical communications:
- Detecting Pre-Exploitation: NDR provides full visibility into the DNS and HTTP traffic stream, flagging attempts to reach newly observed or reputationally suspicious domains used for hosting decoy sites (T1566.002) and multi-stage delivery (T1071.001).
- Post-Compromise Behavior: Once the payload achieves persistence (T1053.005), NDR detects the resulting network activity: a new process initiating highly suspicious, scheduled beaconing to an external IP (T1071.001), as well as attempts to exfiltrate system information (T1082) or move laterally within the network.
The table below maps the campaign's TTPs to specific detection methodologies available within an NDR platform:
| MITRE ATT&CK Tactic | Technique ID | Technique Name | Attacker Action | EH NDR Detection |
|---|---|---|---|---|
| Initial Access | T1566.001 | Spear-phishing Attachment/Link | Attacker sends emails with a fake Trend Micro update or HR complaint lure to entice clicks. | NDR detects network sessions initiated after a user clicks the link, especially the subsequent connections to suspicious/rare domains. |
| Defense Evasion | T1566.002 | Decoy/Lure Sites | Attacker directs victims to deceptive websites mimicking the corporate style (e.g., impersonating the Trend Micro website). | NDR detects DNS queries to newly observed domains or those with poor reputation, and can flag redirects that lead to unverified public cloud hosting infrastructure often used for staging. |
| Defense Evasion | T1027.004 | Custom Cryptography | Attacker uses a custom API hashing algorithm to obfuscate critical Windows API calls within the shellcode. | NDR baselines normal encrypted traffic. NDR flags the persistent timing and communication intervals characteristic of C2 check-in without requiring decryption of the outbound payload. |
| Defense Evasion | T1203 | Exploitation for Client Execution | Attacker leverages vulnerabilities in client-side software, to run malicious code on target’s system and gain initial access or escalate privileges. | NDR identifies highly unusual or malformed HTTP/S requests characteristic of an RCE exploit attempt. |
| Defense Evasion | T1071.001 | Multi-Stage Delivery | Attacker delivers an initial small JavaScript payload, followed by an encrypted Stage 2 binary to selected targets. | NDR flags the rapid, sequential fetching of multiple files and the high-entropy network transfer of the Stage 2 encrypted payload. |
| Discovery | T1082 | System Information Discovery | Attacker generates a unique ID based on the victim's hostname, processor, and volume serial number for tracking. | NDR detects the resulting network C2 connection that contains the unique, highly suspicious system ID string in the URL or payload. |
| Persistence | T1053.005 | Scheduled Task/Job | Attacker creates a Windows Scheduled Task to execute a payload (SystemProcessHost.exe) at boot with SYSTEM privileges. | NDR detects the resulting periodic, scheduled beaconing from a low-reputation internal host to an external C2. |
| Command and Control | T1071.001 | Application Layer Protocol | Attacker conducts C&C communication via HTTPS, identifiable by the unique request pattern starting with "get\_module\_hello". | NDR baselines normal encrypted traffic. NDR flags the persistent timing and communication intervals characteristic of C2 check-in without requiring decryption of the outbound payload. |
Stay Ahead: How Modern NDR Detects SHADOW-VOID-042 Evasion
The ExtraHop RevealX platform is uniquely positioned to neutralize the threat actor's sophisticated evasion techniques by combining Network Detection and Response (NDR) with Network Performance Monitoring (NPM) into a single, unified solution. This comprehensive visibility is achieved through three integrated capabilities:
- Deep Decryption and Protocol Fluency: ExtraHop eliminates blind spots by decrypting and analyzing traffic at wire speed. ExtraHop decrypts encrypted traffic at 100 Gbps and decodes 90+ network protocols to uncover malicious activity at rapid speed.
- Holistic Visibility and Behavioral Detection: Cloud-scale machine learning establishes a behavioral baseline for all network activity (East/West and North/South). This approach enables the platform to immediately flag subtle deviations, ensuring detection of evasive post-compromise behaviors, including system information gathering (T1082) and scheduled persistence mechanisms (T1053.005).
- Unified Context: By consolidating NDR, NPM, and forensics into one platform, ExtraHop enhances security operations efficiency. It provides comprehensive network observability to detect the full range of adversarial tactics, from reconnaissance and exploitation to command-and-control, while also identifying important performance anomalies and rapidly troubleshooting application issues.
ExtraHop identifies these subtle deviations from normal traffic, giving security teams the context and confidence to act before threats escalate into breaches.
Learn More About ExtraHop
The network is the definitive battleground against cyberthreats. ExtraHop NDR provides the comprehensive security intelligence that legacy tools might miss. To learn more about how ExtraHop RevealX can provide high-fidelity detection and protection against advanced threats like SHADOW-VOID-042 please:
- Request a Personalized Demo: See how ExtraHop detects hundreds of TTPs used by threat actors like Shadow Void.
- Run a Security Assessment: Challenge the visibility of your current security stack with a complimentary NDR assessment.
Click HERE to schedule your demo.
Discover more
Product Marketing Team
Michael Zuckerman is a seasoned B2B product marketing and marketing strategy consultant. Zuckerman’s domain experience in cybersecurity over the past 10 years includes DNS security, threat intelligence, threat intelligence platforms (TIP), container security, mobile device security, moving target defense, sandbox, deception technology, cloud access security brokers (CASB), SASE, data loss prevention (DLP), user and entity behavior analytics (UEBA), Network detection and response (NDR), and encryption.
Share
