Trend Micro-Themed Spear-Phishing Campaigns: November 2025 SHADOW-VOID-042 Analysis

Listen to this Post

Featured Image

Introduction

In November 2025, a sophisticated spear-phishing campaign targeted multiple critical sectors using Trend Micro-branded social engineering lures. Executives, IT professionals, and cybersecurity personnel were specifically targeted with messages designed to appear as legitimate security advisories. These attacks employed a multi-stage approach, tailored to each target, and attempted to deliver malware through decoy websites and fake updates. While Trend Vision One™ successfully intercepted the campaign, the operation demonstrates the increasing sophistication of threat actors and their ability to combine espionage and financial motives in a single operation.

November 2025 Trend Micro-Themed Campaign Overview

The November 2025 campaign, tracked under the temporary intrusion set SHADOW-VOID-042, targeted sectors including defense, energy, pharmaceuticals, cybersecurity, and ICT. Attackers sent spear-phishing emails disguised as Trend Micro security advisories, urging recipients to install a fake update for Apex One™. These messages were highly customized, with subject lines like “Ensure Browser Security: Address Critical Vulnerabilities” and “Security notice — please check Trend Micro on your device.”

The campaign followed a multi-stage infection chain. Initial links redirected victims through several URLs, landing on decoy websites mimicking Trend’s corporate style. While one JavaScript exploit targeting an older Chrome vulnerability (CVE-2018-6065) was captured, evidence suggests additional, more modern exploits were likely used selectively. In the event of exploit failure, targets were redirected to a TDMSEC decoy site, carefully crafted to resemble Trend’s legitimate website.

Once executed, the malware generated unique IDs from host information, encrypted them, and sent them to a C&C server. The server returned a customized binary loader, which, in turn, created a scheduled task on the system with SYSTEM privileges. Stage 3 attempted to download further payloads, but Trend Vision One™ blocked these early, preventing the full infection chain from executing.

The November operation shares infrastructure and techniques with an October 2025 campaign that used HR-related lures, such as anonymous harassment complaints or research participation requests, targeting executives and HR personnel across multiple industries. This overlap suggests a persistent actor leveraging social engineering tactics tailored to specific industries and roles.

October 2025 Campaign Recap

The October campaign similarly targeted executives and HR staff, but the lures focused on workplace misconduct, research surveys, or academic participation requests. Subject lines included “Anonymous Concern About Workplace Environment” and “Follow-up on Research Survey – Innovation in Heavy Equipment Design.”

The October campaign also employed decoy documents or Google forms to increase legitimacy. Specific decoys were designed for targeted companies in sectors such as logistics, finance, manufacturing, and ICT. Notably, the October and November campaigns exhibited significant overlap in infrastructure, tactics, techniques, and procedures (TTPs), suggesting the same threat actor orchestrated both operations.

Multi-Stage Infection Chain

The infection chain began with a phishing email containing malicious links. Victims were redirected through multiple landing pages, loading JavaScript files exploiting Chrome vulnerabilities. A shellcode executed to generate a unique machine ID and communicate with a C&C server, retrieving a customized Stage 2 loader. Stage 2 decrypted and loaded embedded code, preparing the system for Stage 3. Stage 3 attempted to retrieve additional malware from hardcoded C&C endpoints but was blocked due to Trend Vision One’s early detection.

The campaigns remained largely unsuccessful, as Trend Vision One intercepted emails and blocked malicious landing pages. No final payloads were observed, leaving uncertainty over whether the actors intended to deploy the ROMCOM backdoor or other malware linked to the Void Rabisu actor group.

Attribution and SHADOW-VOID-042 vs Void Rabisu

While elements of the campaigns resemble the Void Rabisu intrusion set, differences remain significant enough to treat SHADOW-VOID-042 as a separate temporary intrusion set. Both groups share tactics like URL redirection, use of free webmail for spam, residential proxies, and targeting critical sectors. However, SHADOW-VOID-042 has not been observed deploying the ROMCOM backdoor, targeting Ukraine, or exploiting SEO/advertising tactics at the same scale as Void Rabisu.

Void Rabisu, historically financially motivated and linked to ransomware, has increasingly focused on espionage aligned with Russian interests since 2022. It has targeted governments, energy sectors, and pharmaceutical companies using advanced malware, including zero-day exploits across WinRar, Mozilla, and Microsoft products. SHADOW-VOID-042’s campaigns hint at similar ambitions but remain distinct due to early interception and lack of final payloads.

What Undercode Say:

The November 2025 campaigns underscore the evolving sophistication of cyber threat actors. SHADOW-VOID-042 demonstrates hybrid motivations, blending espionage with potential financial gains, and leveraging highly targeted social engineering tactics. The choice of Trend Micro branding is deliberate, exploiting trust in cybersecurity solutions to bypass initial skepticism.

The campaigns illustrate the importance of multi-layered defense strategies. Even without final payload deployment, the malware attempted highly customized attacks, including machine-specific encryption, C&C communication, and staged payload delivery. This shows threat actors are moving beyond generic malware toward precision attacks tailored to high-value targets.

Trend Vision One’s AI-powered interception highlights the efficacy of proactive cybersecurity solutions. By stopping the infection chain early, Trend prevented potential damage, demonstrating that detection at the initial stages of phishing or exploit delivery is crucial for minimizing exposure.

The use of decoy websites and tailored JavaScript exploits reflects a shift toward highly realistic impersonation tactics. While some exploits were outdated, the likelihood of modern exploits being used selectively indicates attackers continuously refine their operations to target specific systems. This trend suggests future campaigns will increasingly blend social engineering with customized technical payloads, emphasizing the need for threat intelligence and user awareness.

Monitoring SHADOW-VOID-042 will be critical, as it may eventually merge into or align with other sophisticated intrusion sets like Void Rabisu. Organizations in critical sectors should adopt threat-hunting measures, employ continuous security monitoring, and educate personnel on recognizing authentic vs. deceptive communication. The overlap of tactics between October and November campaigns emphasizes that threat actors maintain persistent targeting strategies, testing and refining approaches across industries.

The campaigns also reveal potential geopolitical dimensions. By exploiting global cybersecurity vendors, actors can gain access to multiple high-value targets simultaneously. As geopolitical conflicts escalate, hybrid-motivated cybercrime groups may increasingly blend financial and espionage objectives, requiring organizations to adopt anticipatory defenses and cross-sector intelligence collaboration.

Fact Checker Results

✅ Campaigns targeted multiple sectors using Trend Micro-themed lures.

✅ Trend Vision One blocked the infection chain early, preventing malware deployment.
❌ No final payload or ROMCOM backdoor was observed in the November campaign.

Prediction

📊 SHADOW-VOID-042 is likely to continue evolving, integrating modern zero-day exploits and more personalized social engineering. Expect increased targeting of executives and IT professionals in critical infrastructure sectors. Hybrid motivation—blending espionage and financial gain—will become more prevalent, pushing organizations to invest in AI-driven threat detection and proactive threat hunting. Enhanced decoy realism, machine-specific malware, and early-stage targeting interception will define future campaigns.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.trendmicro.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon