SHADOW-VOID-042SHADOW-VOID-042

SHADOW-VOID-042 is a provisional intrusion set tracked by Trend Micro, active in October-November 2025, conducting spear-phishing campaigns against energy, defense, pharmaceutical, cybersecurity, and other sectors using lures like HR complaints, research surveys, and fake Trend Micro security updates urging browser fixes. Attacks employ multi-stage loaders: shellcode generates machine-specific IDs for C2 "get_module_hello" requests fetching encrypted Stage 2 (SystemProcessHost.exe) with scheduled tasks for persistence, followed by Stage 3 fetching additional payloads via API hashing and retries on hardcoded C2s. Infrastructure overlaps with Void Rabisu (ROMCOM/Storm-0978), but lacks confirmed ROMCOM deployment or Ukraine focus, warranting separate tracking.