In November 2025, spear-phishing emails featuring a Trend Micro-themed social engineering lure were sent to various industry verticals – including defense, energy, chemical, cybersecurity (including Trend and a subsidiary), and ICT companies – where a decoy website mimicked Trend’s corporate style.
Several elements of the campaign align with the intrusion set known as Void Rabisu, associated with a hybrid-motivation actor group aligned with Russian interests. However, until a more definitive link to Void Rabisu is established, the two campaigns will be tracked separately under the temporary intrusion set SHADOW-VOID-042.
www.trendmicro.com
View attachment 293679
From the text and screenshot you shared, this looks like Trend Micro’s write‑up of a
future spear‑phishing campaign they’re calling
SHADOW-VOID-042, with a Trend‑themed lure and a fake security-company website (the “TDMSec” page in the image).
Because my knowledge only goes up to October 2024, I don’t have independent information on this specific 2025 campaign, so I can’t add any new intel beyond what you posted. I also can’t safely say whether the domain shown is malicious or not; I can only go by Trend’s description that it was used as a decoy.
That said, here’s how to interpret what you posted and what it generally implies.
1. What Trend are describing (from your excerpt)
Based on your text:
- Spear‑phishing emails in November 2025 targeted multiple sectors:
- Defense
- Energy
- Chemical
- Cybersecurity (including Trend + subsidiary)
- ICT companies
- The lure was Trend Micro‑themed: emails and a decoy site mimicked Trend’s corporate style to appear trustworthy.
- Victims were led to a site that looks like a security vendor/Trend‑style page (your screenshot shows “TDMSec” with claims like “We Stop Hackers Before They Stop You”, “Smart AI Detection”, etc.).
- Some TTPs overlap with the intrusion set Void Rabisu (a threat actor Trend links with Russian interests), but attribution isn’t firm enough yet.
- Until they’re sure, Trend will track it separately as a temporary intrusion set: SHADOW-VOID-042.
That naming pattern (temporary intrusion set) is common: vendors will create a “holding name” when they see a distinct cluster of behavior but don’t want to prematurely merge it with an existing actor.
2. What the decoy site in the screenshot is doing (in general terms)
From the image:
- Branding looks like a modern SaaS/security vendor:
- Logo + name: TDMSec.
- Strong tagline: “We Stop Hackers Before They Stop You”.
- Marketing promises: “Real AI that spots trouble fast”, “Zero‑Trust Security”, “Smart AI Detection – Catches 99.9% of brand‑new attacks…”.
- Big red CTA buttons: “See It Live”, “Talk to Us”.
- Metrics: “10M+ devices… 99.99% of threats… <3 min response… 24/7”.
- The style is meant to:
- Look like a serious, well-funded security brand.
- Build trust quickly so visitors will:
- Enter credentials, download something, or
- Enable scripts/ macros / remote access, depending on the final payload.
I can’t see what happens when you interact with it (download, form submit, etc.), so I don’t know the actual payload. But this kind of fake site typically leads to:
- Malicious document/download delivery (loader, backdoor, infostealer).
- Credential harvesting (corporate email, SSO, VPN).
- Browser exploit chains (less common, but possible).
3. Relationship to Void Rabisu (at a high level)
Trend’s wording implies:
- There are overlapping techniques (maybe infrastructure patterns, malware families, lure themes, or operational habits) with Void Rabisu.
- But they don’t yet have sufficient evidence to say “this is Void Rabisu”.
- So they’re being conservative and tracking it separately as SHADOW-VOID-042 until/if new evidence ties it clearly to Void Rabisu.
That’s a healthy way to handle attribution: cluster first, attribute later.
4. If you encounter this kind of email or site – what to do
Since we can’t safely assume any specific URL is malicious or safe, the best approach is cautious handling and verification.
For individual users
- Don’t trust “security vendor” branding by itself. Check:
- The exact domain name (typos, strange TLDs, non‑standard subdomains).
- If you got there from an unsolicited email or DM.
- If the content is pushing urgent downloads or login prompts.
- Verify through official channels:
- If the email claims to be from Trend (or any vendor), go to their official site by typing the URL yourself or using a known bookmark—not through the email link.
- Contact your vendor rep or support via known contact info, not what’s in the suspicious email.
- Scan any downloaded files with:
- Your installed, reputable security suite, and/or
- A multi‑scanner service like VirusTotal (only if the file is not sensitive).
- If you clicked or opened a file already:
- Run a full AV scan.
- Change passwords for any accounts you might have entered on the site, starting with email and SSO.
- If this is a work device, report it to your security/IT team immediately. Don’t try to hide it.
For organizations / defenders
Without making up IOCs for this specific case, generic but relevant steps include:
- Harden email:
- Use a secure email gateway with phishing/spear‑phishing detection.
- Enforce DMARC, DKIM, and SPF for your own domains to reduce spoofing.
- Block or tightly monitor newly observed security‑vendor‑looking domains that:
- Appear in inbound email for the first time.
- Aren’t in your allow‑list of legit vendors/partners.
- User awareness:
- Train staff (especially high‑value targets in defense/energy/exec roles) on:
- Fake security-update emails.
- Vendor-brand impersonation.
- “We detected threats in your network – click here to fix” lures.
- Logging and detection:
- Monitor for unusual downloads from rarely seen domains classified as “security/software” but not known vendors.
- Look for new processes spawned by Office/PDF readers, or LOLBins often abused in phishing chains (e.g. powershell, wscript, mshta, rundll32) after opening email attachments.
- Incident response ready:
- Have a playbook for spear‑phishing involving:
- Host isolation,
- Forensic triage,
- Credential reset and SSO token revocation,
- Threat hunting using whatever IOCs are published by vendors like Trend.
5. If you were specifically asking “Is this TDMSec site legit or malicious?”
- I can’t safely determine that from here.
- Trend’s article (from your excerpt) suggests this style of page was used as a decoy in a phishing campaign, which is enough reason to treat any lookalike very cautiously.
- If you have the actual URL:
- Submit it to a trusted URL scanning service or your security gateway.
- Let your security team decide on blocking/allow‑listing based on confirmed intel (including the full Trend article and any IOCs they may publish).
Summary
From your description, Trend are documenting a Trend‑themed spear‑phishing campaign they’re temporarily calling
SHADOW-VOID-042, with some overlap with
Void Rabisu but no firm attribution yet. The screenshot shows a polished fake security vendor site used as a social‑engineering decoy. I can’t verify the specific site’s status, but anything matching this pattern should be treated as high‑risk: verify directly with the real vendor, scan downloads, and involve security/IT if there’s any chance someone interacted with it.
