A sophisticated threat actor with possible links to Russian hybrid-threat groups impersonated Trend Micro security advisories to target defense contractors, energy companies, and cybersecurity firms. The attack chain was stopped before final payload deployment.
A threat actor with possible connections to Russian cybercriminal networks attempted to breach multiple critical infrastructure sectors in November 2025 by impersonating Trend Micro security advisories. The attack targeted defense contractors, energy companies, and cybersecurity vendors with fake browser vulnerability warnings. Trend Vision One stopped the infection chain before malware deployment. While several elements align with the Void Rabisu intrusion set—a group that has shifted from ransomware to espionage-like targeting—researchers cannot yet confirm attribution and are tracking this activity separately as SHADOW-VOID-042.
Security researchers detected the campaign when executives and IT managers at targeted organizations received emails warning of "critical zero-day vulnerabilities" in their browsers. The messages appeared to come from legitimate security channels and urged immediate action to install updates. Recipients who clicked the embedded links were redirected through multiple domains to a page impersonating CloudFlare's security interface.
The threat actor customized every stage of the attack to match the victim's system configuration. Each payload was encrypted with hardware-specific identifiers, rendering forensic analysis nearly impossible without access to the original target machine. This level of operational security points to an actor with significant resources and technical sophistication.
The infection chain operated through four distinct stages, each designed to evade detection:
Stage 1: Spear-Phishing and Exploitation
Stage 2: Custom Shellcode Delivery
Stage 3: Machine-Specific Loaders
Stage 4: Final Payload Retrieval
The decoy website used corporate branding that deliberately mimicked Trend Micro's visual identity, including color schemes and layout structures. This was paired with a fictitious company name "TDMSec" — an apparent attempt to blur the line between legitimate and malicious infrastructure.
The October and November 2025 activity shows clear tactical overlap with previous campaigns attributed to Void Rabisu, a threat actor associated with both cybercrime and Russian objectives.
Void Rabisu gained notoriety for deploying the Cuba ransomware and later transitioned to espionage targeting Ukraine and its allies. The group has demonstrated consistent access to zero-day exploits, previously leveraging unpatched vulnerabilities in WinRAR (July 2023), Mozilla Firefox and Windows (2024), and Microsoft Word (2023). Their shifting motivations — from financially-driven ransomware to intelligence collection — mirror patterns seen in other Russian hybrid-threat groups.
However, researchers are not yet ready to merge the recent campaigns into the Void Rabisu intrusion set. The temporary designation SHADOW-VOID-042 reflects this uncertainty. Key differences include:
The overlap lies in the shared lure themes (HR harassment complaints, fake job applications), use of residential proxies and NordVPN, reliance on temporary file-sharing services like temp.sh, and Russian language artefacts in the infrastructure.
The campaign's targeting list reveals strategic priorities. Besides cybersecurity vendors, the actor focused on:
The choice to impersonate a security vendor's advisory creates a pre-textual legitimacy that could bypass even security-aware users.
Organizations should implement the following defenses to mitigate this threat:
1. Verify All Security Advisories Through Official Channels
Any urgent security notification should be confirmed through the vendor's official website, support portal, or direct communication with your account manager. Do not trust links in unsolicited emails, even if they appear to come from trusted sources. Attackers are exploiting the urgency created by zero-day disclosures to rush victims into clicking before verifying.
2. Deploy Browser Isolation for High-Risk Users
Executives, HR personnel, and employees with access to sensitive systems should use browser isolation technology. This creates a gap between web content and the local system, preventing exploits from reaching the endpoint even if a user clicks a malicious link. This defense would have stopped the SHADOW-VOID-042 campaign at the exploitation stage.
3. Implement Machine-Specific Monitoring for Scheduled Tasks
The campaign created persistence through scheduled tasks running with SYSTEM privileges. Security teams should baseline normal scheduled task behavior and alert on new tasks that launch executables from non-standard directories like C:\ProgramData\Microsoft\Windows\SystemProcessHost.exe. Any task created by a web browser process should trigger immediate investigation.
4. Harden Email Security with Behavioral Analysis
Traditional email filters missed these messages because they came from free webmail providers using residential proxy networks. Deploy solutions that analyze sender behavior patterns, link reputation in real-time, and detect impersonation attempts through natural language processing. The emails in this campaign exhibited subtle linguistic tells — overly formal language, unusual phrasing of technical concepts — that behavioral AI models can detect.
This report is based on research originally published by Trend Micro researchers. All technical details, indicators of compromise, and attribution claims originate from the source research. Readers are encouraged to review the original report for complete forensic data and hunting queries.
