{"id":52125,"date":"2023-05-30T00:00:00","date_gmt":"2023-05-30T00:00:00","guid":{"rendered":"urn:uuid:b9d5e772-e166-d285-e125-5817d7a5efa8"},"modified":"2023-05-30T00:00:00","modified_gmt":"2023-05-30T00:00:00","slug":"void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/","title":{"rendered":"Void Rabisu\u2019s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors\u2019 Goals"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/void-rabisu%E2%80%99s-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors%E2%80%99-goals-\/RomCom-header.jpg\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/void-rabisu%E2%80%99s-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors%E2%80%99-goals-\/RomCom-header.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p><i>With contributions from Veronica Chierzi and Jayvee Mark Villaroman<\/i><\/p>\n<p>Since the start of <a href=\"https:\/\/www.cnbc.com\/2022\/02\/24\/russian-forces-invade-ukraine.html\" target=\"_blank\" rel=\"noopener\">the war in Ukraine<\/a> in February 2022, the number of cyber campaigns against Ukraine and North Atlantic Treaty Organization (NATO) countries has increased significantly. These campaigns come from many different angles: known advanced persistent threat (APT) actors, APT actors that were not publicly reported on before, and cyber mercenaries, hacktivists, and criminal actors who appear to have shifted from purely financial motives to geopolitical goals. In the past, these actors had different motivations, mode of operations, and targets, but the line between their campaigns has started to blur: Not only is an overlap in their targeting becoming apparent, but the distinction between their modes of operation is less clear. For instance, in 2022, one of <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-conti\" target=\"_blank\" rel=\"noopener\">Conti<\/a>\u2019s affiliates was found to be <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/former-conti-ransomware-members-join-initial-access-broker-ukraine\" target=\"_blank\" rel=\"noopener\">using its initial access techniques against Ukraine<\/a> instead of using them to spread <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/Ransomware\" target=\"_blank\" rel=\"noopener\">ransomware<\/a>.<\/p>\n<p>Another example of this is Void Rabisu, also known as Tropical Scorpius, an actor believed to be associated with <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-cuba\" target=\"_blank\" rel=\"noopener\">Cuba ransomware<\/a> and the RomCom backdoor. Because of its many ransomware attacks, Void Rabisu was believed to be financially motivated, even though <a href=\"https:\/\/www.reuters.com\/world\/europe\/montenegro-blames-criminal-gang-cyber-attacks-government-2022-08-31\/\" target=\"_blank\" rel=\"noopener\">its associated Cuba ransomware allegedly attacked the parliament of Montenegro in August 2022<\/a>, which could be considered part of a geopolitical agenda. The motives of Void Rabisu seem to have changed since at least October 2022, when Void Rabisu\u2019s associated RomCom backdoor was reported to have been used in attacks against the Ukrainian government and military: In a campaign in December 2022, <a href=\"https:\/\/thehackernews.com\/2022\/12\/ukraines-delta-military-system-users.html\" target=\"_blank\" rel=\"noopener\">a fake version of the Ukrainian army\u2019s DELTA situational awareness website<\/a> was used to lure targets into installing the RomCom backdoor. Normally, this kind of brazen attack would be thought to be the work of a nation state-sponsored actor, but in this case, the indicators clearly pointed towards Void Rabisu, and some of the tactics, techniques, and procedures (TTPs) used were typically associated with cybercrime.<\/p>\n<p>Trend Micro\u2019s telemetry and research corroborates that the RomCom backdoor has been used in geopolitically motivated attacks since at least October 2022, with targets that included organizations in Ukraine\u2019s energy and water utility sectors. Targets outside of Ukraine were observed as well, such as a provincial local government that provides help to Ukrainian refugees, a parliament member of a European country, a European defense company, and various IT service providers in Europe and the US. Independent research from Google showed that <a href=\"https:\/\/blog.google\/threat-analysis-group\/ukraine-remains-russias-biggest-cyber-focus-in-2023\/\" target=\"_blank\" rel=\"noopener\">RomCom was being used in campaigns against attendees of the Masters of Digital conference<\/a>, a conference organized by DIGITALEUROPE, and the Munich Security Conference.<\/p>\n<p>In this blog entry, we will discuss how the use of the RomCom backdoor fits into the current landscape, where politically motivated attacks are not committed by nation-state actors alone. Even though we cannot confirm coordination between the different attacks, Ukraine and countries who support Ukraine are being targeted by various actors, like APT actors, hacktivists, cyber mercenaries, and cybercriminals like Void Rabisu. We will also delve into how RomCom has evolved over time and how the backdoor is spread both by methods that look like APT, as well as methods used by prominent cybercriminal campaigns taking place currently, to show that RomCom is using more detection evasion techniques that are popular among the most impactful cybercriminals.<\/p>\n<p>We assess that RomCom makes use of the same third-party services that are being utilized by other criminal actors as well, like malware signing and binary encryption. RomCom has been spread through numerous lure sites that are sometimes set up in rapid bursts. These lure sites are most likely only meant for a small number of targets, thus making discovery and analysis more difficult. Void Rabisu is one of the most evident examples of financially motivated threat actors whose goals and motivations are becoming more aligned under extraordinary geopolitical circumstances, and we anticipate that this will happen more in the future.<\/p>\n<h4>RomCom campaigns<\/h4>\n<p>We have been tracking RomCom campaigns since the summer of 2022, and since then, have seen an escalation in its detection evasion methods: Not only do the malware samples routinely use VMProtect to make both manual and automated sandbox analysis more difficult, they also utilize binary padding techniques on the payload files. This adds a significant amount of overlay bytes to the files, increasing the size of the malicious payload (we&#8217;ve seen a file with 1.7 gigabytes). Additionally, a new routine has been recently added that involves the encryption of the payload files, which can only be decrypted if a certain key is downloaded to activate the payload.<\/p>\n<p>In addition to these technical evasion techniques, RomCom is being distributed using lure sites that often appear legitimate and are being utilized in narrow targeting. This makes automated blocking of these lure websites through web reputation systems harder. Void Rabisu has been using Google Ads to entice their targets to visit the lure sites, similar to <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/l\/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html\" target=\"_blank\" rel=\"noopener\">a campaign that distributed IcedID botnet in December 2022<\/a>. A key difference is that while IcedID\u2019s targeting was wider, Void Rabisu probably opted for narrower targeting that Google Ads offers to its advertisers. RomCom campaigns also make use of highly targeted spear phishing emails.<\/p>\n<p>On the RomCom lure sites, targets are offered trojanized versions of legitimate applications, like chat apps such as AstraChat and Signal, PDF readers, remote desktop apps, password managers, and other tools, that are typically used by system administrators.&nbsp;<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/e\/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Void Rabisu, a malicious actor believed to be associated with the RomCom backdoor, was thought to be driven by financial gain because of its ransomware attacks. But in this blog entry, we discuss how the use of the RomCom backdoor in recent attacks shows how Void Rabisu&#8217;s motives seem to have changed since at least October 2022. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":52126,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9511,9534,9513,9509],"class_list":["post-52125","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-latest-news","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Void Rabisu\u2019s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors\u2019 Goals 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Void Rabisu\u2019s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors\u2019 Goals 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-30T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/void-rabisu%E2%80%99s-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors%E2%80%99-goals-\/RomCom-header.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Void Rabisu\u2019s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors\u2019 Goals\",\"datePublished\":\"2023-05-30T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\\\/\"},\"wordCount\":904,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals.jpg\",\"keywords\":[\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Latest News\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\\\/\",\"name\":\"Void Rabisu\u2019s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors\u2019 Goals 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals.jpg\",\"datePublished\":\"2023-05-30T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals.jpg\",\"width\":641,\"height\":350},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Cyber Threats\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-cyber-threats\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Void Rabisu\u2019s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors\u2019 Goals\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Void Rabisu\u2019s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors\u2019 Goals 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/","og_locale":"en_US","og_type":"article","og_title":"Void Rabisu\u2019s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors\u2019 Goals 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-05-30T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/void-rabisu%E2%80%99s-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors%E2%80%99-goals-\/RomCom-header.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Void Rabisu\u2019s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors\u2019 Goals","datePublished":"2023-05-30T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/"},"wordCount":904,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals.jpg","keywords":["Trend Micro Research : Cyber Threats","Trend Micro Research : Latest News","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/","url":"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/","name":"Void Rabisu\u2019s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors\u2019 Goals 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals.jpg","datePublished":"2023-05-30T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals.jpg","width":641,"height":350},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Cyber Threats","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-cyber-threats\/"},{"@type":"ListItem","position":3,"name":"Void Rabisu\u2019s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors\u2019 Goals"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/52125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=52125"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/52125\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/52126"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=52125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=52125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=52125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}