SHADOW-VOID-042 Targets Multiple Industries With Void Rabisu-Like Tactics

    Friday, December 12, 2025 In: Threat Research Print

    Date: 12/12/2025

    Severity: High

    Summary

    During October and November 2025, a series of campaigns targeting the energy, defense, pharmaceutical, and cybersecurity sectors displayed traits consistent with earlier operations linked to Void Rabisu (also known as ROMCOM, Tropical Scorpius, or Storm-0978). Void Rabisu is associated with a threat actor group driven by both financial and intelligence-gathering objectives aligned with Russian interests. We are currently tracking these activities under a provisional intrusion set, SHADOW-VOID-042, until additional evidence enables a high-confidence attribution.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    re-tdm-sec.live

    re-tdm-sec.online

    re-tdmsec.live

    re-tdmsec.online

    re-tdmsec.pub

    re-tdmsec.software

    re-tdmsec.zone

    retdmsec.live

    tdm-sec.consulting

    tdm-sec.live

    tdm-sec.news

    tdm-sec.online

    tdm-sec.pub

    tdm-sec.software

    tdmsec-analysis.live

    tdmsec-analysis.online

    tdmsec.consulting

    tdmsec.expert

    tdmsec.live

    tdmsec.online

    tdmsec.pub

    tdmsec.social

    tdmsecglobal.live

    tdmsecglobal.online

    tdmsecglobal.pub

    tdmsecglobal.zone

    tdmseclabs.consulting

    tdmseclabs.live

    tdmseclabs.online

    tdmseclabs.pub

    tdmseclabs.software

    tdmsecsys.live

    tdmsecsys.online

    tdmsecsys.pub

    tdmsecsys.social

    tdmsecsys.software

    tdmsecsys.zone

    tdmsecteam.live

    tdmsecteam.online

    tdmsecteam.pub

    tdmsecteam.software

    tdmsecteam.zone

    tdmsecure.consulting

    tdmsecure.live

    tdmsecure.online

    tdmsecure.pub

    tdmsecure.software

    tdmsecure.zone

    tdmsecurity.consulting

    tdmsecurity.live

    tdmsecurity.online

    tdmsecurity.pub

    tdmsecurity.social

    tm-blog.live

    tm-blog.online

    tm-blog.pub

    tm-blog.social

    tm-blog.software

    tm-blog.website

    tmsec-blog.live

    tmsec-blog.online

    tmsec-blog.pub

    tmsec-blog.software

    docs-live.works

    docs-workspace.live

    docs-workspace.online

    form-direct.live

    forms-gle.online

    forms.works

    drivemyfile.com

    form-space.org

    redirect-workspace.com

    linkeedservice.com

    linkerseervice.com

    doubletwistertop.com

    buyiceecream.com

    gotomind.net

    tdmsec.com

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "tmsec-blog.online" or url like "tmsec-blog.online" or siteurl like "tmsec-blog.online" or domainname like "re-tdmsec.zone" or url like "re-tdmsec.zone" or siteurl like "re-tdmsec.zone" or domainname like "tdmsec.expert" or url like "tdmsec.expert" or siteurl like "tdmsec.expert" or domainname like "tmsec-blog.live" or url like "tmsec-blog.live" or siteurl like "tmsec-blog.live" or domainname like "tdm-sec.pub" or url like "tdm-sec.pub" or siteurl like "tdm-sec.pub" or domainname like "tdmsec.pub" or url like "tdmsec.pub" or siteurl like "tdmsec.pub" or domainname like "redirect-workspace.com" or url like "redirect-workspace.com" or siteurl like "redirect-workspace.com" or domainname like "gotomind.net" or url like "gotomind.net" or siteurl like "gotomind.net" or domainname like "tdmsec.online" or url like "tdmsec.online" or siteurl like "tdmsec.online" or domainname like "docs-live.works" or url like "docs-live.works" or siteurl like "docs-live.works" or domainname like "docs-workspace.online" or url like "docs-workspace.online" or siteurl like "docs-workspace.online" or domainname like "tdmsec.com" or url like "tdmsec.com" or siteurl like "tdmsec.com" or domainname like "docs-workspace.live" or url like "docs-workspace.live" or siteurl like "docs-workspace.live" or domainname like "tdmsecsys.online" or url like "tdmsecsys.online" or siteurl like "tdmsecsys.online" or domainname like "retdmsec.live" or url like "retdmsec.live" or siteurl like "retdmsec.live" or domainname like "buyiceecream.com" or url like "buyiceecream.com" or siteurl like "buyiceecream.com" or domainname like "re-tdm-sec.online" or url like "re-tdm-sec.online" or siteurl like "re-tdm-sec.online" or domainname like "form-space.org" or url like "form-space.org" or siteurl like "form-space.org" or domainname like "tdmsecure.zone" or url like "tdmsecure.zone" or siteurl like "tdmsecure.zone" or domainname like "tdmsec-analysis.live" or url like "tdmsec-analysis.live" or siteurl like "tdmsec-analysis.live" or domainname like "tm-blog.live" or url like "tm-blog.live" or siteurl like "tm-blog.live" or domainname like "tdmsecurity.pub" or url like "tdmsecurity.pub" or siteurl like "tdmsecurity.pub" or domainname like "doubletwistertop.com" or url like "doubletwistertop.com" or siteurl like "doubletwistertop.com" or domainname like "tdmsec-analysis.online" or url like "tdmsec-analysis.online" or siteurl like "tdmsec-analysis.online" or domainname like "tdmsecure.live" or url like "tdmsecure.live" or siteurl like "tdmsecure.live" or domainname like "re-tdmsec.online" or url like "re-tdmsec.online" or siteurl like "re-tdmsec.online" or domainname like "tdmsecglobal.pub" or url like "tdmsecglobal.pub" or siteurl like "tdmsecglobal.pub" or domainname like "re-tdmsec.live" or url like "re-tdmsec.live" or siteurl like "re-tdmsec.live" or domainname like "tdmsecglobal.zone" or url like "tdmsecglobal.zone" or siteurl like "tdmsecglobal.zone" or domainname like "form-direct.live" or url like "form-direct.live" or siteurl like "form-direct.live" or domainname like "re-tdm-sec.live" or url like "re-tdm-sec.live" or siteurl like "re-tdm-sec.live" or domainname like "tm-blog.online" or url like "tm-blog.online" or siteurl like "tm-blog.online" or domainname like "tdmsecglobal.online" or url like "tdmsecglobal.online" or siteurl like "tdmsecglobal.online" or domainname like "drivemyfile.com" or url like "drivemyfile.com" or siteurl like "drivemyfile.com"

    Detection Query 2 :

    domainname like "re-tdmsec.pub" or url like "re-tdmsec.pub" or siteurl like "re-tdmsec.pub" or domainname like "re-tdmsec.software" or url like "re-tdmsec.software" or siteurl like "re-tdmsec.software" or domainname like "tdm-sec.news" or url like "tdm-sec.news" or siteurl like "tdm-sec.news" or domainname like "tdm-sec.online" or url like "tdm-sec.online" or siteurl like "tdm-sec.online" or domainname like "tdm-sec.software" or url like "tdm-sec.software" or siteurl like "tdm-sec.software" or domainname like "tdmsec.consulting" or url like "tdmsec.consulting" or siteurl like "tdmsec.consulting" or domainname like "tdmsec.live" or url like "tdmsec.live" or siteurl like "tdmsec.live" or domainname like "tdmsec.social" or url like "tdmsec.social" or siteurl like "tdmsec.social" or domainname like "tdmsecglobal.live" or url like "tdmsecglobal.live" or siteurl like "tdmsecglobal.live" or domainname like "tdmseclabs.consulting" or url like "tdmseclabs.consulting" or siteurl like "tdmseclabs.consulting" or domainname like "tdmseclabs.live" or url like "tdmseclabs.live" or siteurl like "tdmseclabs.live" or domainname like "tdmseclabs.online" or url like "tdmseclabs.online" or siteurl like "tdmseclabs.online" or domainname like "tdmseclabs.pub" or url like "tdmseclabs.pub" or siteurl like "tdmseclabs.pub" or domainname like "tdmseclabs.software" or url like "tdmseclabs.software" or siteurl like "tdmseclabs.software" or domainname like "tdmsecsys.live" or url like "tdmsecsys.live" or siteurl like "tdmsecsys.live" or domainname like "tdmsecsys.pub" or url like "tdmsecsys.pub" or siteurl like "tdmsecsys.pub" or domainname like "tdmsecsys.social" or url like "tdmsecsys.social" or siteurl like "tdmsecsys.social" or domainname like "tdmsecsys.software" or url like "tdmsecsys.software" or siteurl like "tdmsecsys.software" or domainname like "tdmsecsys.zone" or url like "tdmsecsys.zone" or siteurl like "tdmsecsys.zone" or domainname like "tdmsecteam.live" or url like "tdmsecteam.live" or siteurl like "tdmsecteam.live" or domainname like "tdmsecteam.online" or url like "tdmsecteam.online" or siteurl like "tdmsecteam.online" or domainname like "tdmsecteam.pub" or url like "tdmsecteam.pub" or siteurl like "tdmsecteam.pub" or domainname like "tdmsecteam.software" or url like "tdmsecteam.software" or siteurl like "tdmsecteam.software" or domainname like "tdmsecteam.zone" or url like "tdmsecteam.zone" or siteurl like "tdmsecteam.zone" or domainname like "tdmsecure.consulting" or url like "tdmsecure.consulting" or siteurl like "tdmsecure.consulting" or domainname like "tdmsecure.online" or url like "tdmsecure.online" or siteurl like "tdmsecure.online" or domainname like "tdmsecure.pub" or url like "tdmsecure.pub" or siteurl like "tdmsecure.pub" or domainname like "tdmsecure.software" or url like "tdmsecure.software" or siteurl like "tdmsecure.software" or domainname like "tdmsecurity.consulting" or url like "tdmsecurity.consulting" or siteurl like "tdmsecurity.consulting" or domainname like "tdmsecurity.live" or url like "tdmsecurity.live" or siteurl like "tdmsecurity.live" or domainname like "tdmsecurity.online" or url like "tdmsecurity.online" or siteurl like "tdmsecurity.online" or domainname like "tdmsecurity.social" or url like "tdmsecurity.social" or siteurl like "tdmsecurity.social" or domainname like "tm-blog.pub" or url like "tm-blog.pub" or siteurl like "tm-blog.pub" or domainname like "tm-blog.social" or url like "tm-blog.social" or siteurl like "tm-blog.social" or domainname like "tmsec-blog.pub" or url like "tmsec-blog.pub" or siteurl like "tmsec-blog.pub" or domainname like "tmsec-blog.software" or url like "tmsec-blog.software" or siteurl like "tmsec-blog.software" or domainname like "forms-gle.online" or url like "forms-gle.online" or siteurl like "forms-gle.online" or domainname like "forms.works" or url like "forms.works" or siteurl like "forms.works" or domainname like "linkeedservice.com" or url like "linkeedservice.com" or siteurl like "linkeedservice.com" or domainname like "linkerseervice.com" or url like "linkerseervice.com" or siteurl like "linkerseervice.com"

    Reference: 

    https://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html


    Tags

    Threat ActorSHADOW-VOID-042Void Rabisu-likeRomcomRussiaDefense Industrial BaseHealthcare and Public HealthEnergy

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.