A previously unidentified threat actor, aligned with Russian interests, has been discovered impersonating the cybersecurity firm ESET in a sophisticated phishing campaign against Ukrainian targets. The attacks, detected in May 2025, involved distributing malicious software installers that deployed a stealthy backdoor known as Kalambur.
Deceptive Phishing Lures and Communication Channels
The group, tracked by ESET as InedibleOchotense, employed targeted spear-phishing emails and Signal text messages to reach their victims. These messages contained links to trojanized versions of ESET software installers.
The phishing email, written in Ukrainian, pretended to be an official alert from ESET. It claimed that the company’s monitoring team had detected a suspicious process linked to the recipient’s email address, warning that their computers might be at risk. Security analysts noted a telling flaw: the first line of the email used a Russian word, likely a typo or translation error that betrayed the attackers’ origins.
Exploiting Trust and Deploying the Payload
This strategy was a deliberate attempt to exploit the widespread trust and usage of ESET products in Ukraine. The malicious links directed users to fraudulent domains designed to mimic legitimate ESET sites, such as esetsmart[.]com and esetscanner[.]com.
When executed, the installer performed a dual function. It correctly installed the legitimate ESET AV Remover tool to maintain the illusion of authenticity, while simultaneously deploying a variant of the Kalambur backdoor. This C#-coded malware uses the Tor network to communicate with its command-and-control servers, hides its presence, and can even enable Remote Desktop Protocol (RDP) access on the victim’s machine.
Connections to the Notorious Sandworm Group
ESET’s analysis suggests InedibleOchotense shares tactical overlaps with other campaigns, including one involving a backdoor called BACKORDER and another tracked by CERT-UA as UAC-0212, a known sub-cluster of the Russia-aligned Sandworm (APT44) hacking group.
The connection to Sandworm’s destructive operations is significant. ESET confirmed that Sandworm remained highly active in Ukraine during this period, launching new wiper malware like ZEROLOT and Sting against a university and targeting critical government, energy, and logistics sectors.
RomCom Group’s Separate Campaign Exploiting WinRAR
In a separate but related threat landscape, another Russia-aligned actor, RomCom, was also active. In mid-July 2025, RomCom’s spear-phishing campaigns weaponized a critical WinRAR vulnerability (CVE-2025-8088) to attack financial, defense, and manufacturing companies in Europe and Canada.
Successful attacks deployed a suite of backdoors, including SnipBot and RustyClaw. According to a profile by AttackIQ, RomCom has evolved from a profit-driven criminal tool into a utility leveraged in nation-state operations, closely following geopolitical events around the war in Ukraine to guide its targeting.
