HOMETHREATSSHADOW-VOID-042
APT / THREAT GROUP

SHADOW-VOID-042

1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

SHADOW-VOID-042 is a provisional intrusion set tracked by Trend Micro, active in October-November 2025, conducting spear-phishing campaigns against energy, defense, pharmaceutical, cybersecurity, and other sectors using lures like HR complaints, research surveys, and fake Trend Micro security updates urging browser fixes. Attacks employ multi-stage loaders: shellcode generates machine-specific IDs for C2 "get_module_hello" requests fetching encrypted Stage 2 (SystemProcessHost.exe) with scheduled tasks for persistence, followed by Stage 3 fetching additional payloads via API hashing and retries on hardcoded C2s. Infrastructure overlaps with Void Rabisu (ROMCOM/Storm-0978), but lacks confirmed ROMCOM deployment or Ukraine focus, warranting separate tracking.

Threat Analysis

SHADOW-VOID-042 is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases1
SourceMalpedia

Also Known As

SHADOW-VOID-042

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.