Trojanized ESET Installers Deploy Kalambur Backdoor in Ukraine Phishing Attacks
In a disturbing trend, a new malware threat has emerged, targeting Ukrainian organizations through phishing attacks. This campaign, identified as InedibleOchotense, is linked to Russian threat actors. It involves deceptive emails purporting to be from the renowned Slovak cybersecurity firm ESET.
Details of the Phishing Campaign
This sophisticated operation began in May 2025. Security researchers found that InedibleOchotense was sending spear-phishing emails and messages via Signal. These communications contained links to a trojanized installer masquerading as legitimate ESET software.
- Target: Ukrainian entities
- Sender: InedibleOchotense
- Method: Spear-phishing emails and Signal messages
- Key software involved: Trojanized ESET installer
The malicious emails claimed that the recipient’s computer was at risk due to suspicious activity. However, a notable detail was that the first line of the email included a Russian word, indicating a possible typo.
Malware Details
The trojanized installers were hosted on several domains, including esetsmart[.]com and esetscanner[.]com. When executed, these installers deliver the legitimate ESET AV Remover alongside the Kalambur backdoor, a C# variant. This backdoor utilizes the Tor network for command-and-control operations.
Kalambur can also drop OpenSSH and allow remote access via the Remote Desktop Protocol (RDP) on port 3389.
Connection to Other Threat Actors
Security firm CERT-UA had previously linked similar activities to another threat actor identified as UAC-0125, also connected to the Sandworm group. ESET’s Matthieu Faou noted that while InedibleOchotense and Sandworm share some tactics, their affiliations are only weakly tied.
Wiper Malware Campaigns by Sandworm
Concurrent with InedibleOchotense’s activities, the Sandworm group has escalated its destructive campaigns in Ukraine. This has included recent attacks using wiper malware, targeting key sectors such as government and energy.
- Wiper malware used: ZEROLOT and Sting
- Target: Various sectors including education and logistics
These operations are reminders of the persistent risk posed by Russia-aligned groups in the region. As the conflict continues, attacks of this nature are expected to remain prevalent.
Other Threats: RomCom Exploits
Additionally, another Russia-aligned group known as RomCom has also been operating during this timeframe. This group has launched campaigns that exploit vulnerabilities in WinRAR software, specifically CVE-2025-8088, to infiltrate financial and defense sectors in Europe and Canada.
Security researchers emphasize the need for vigilance against these evolving threats. The landscape of cyber warfare is rapidly changing, and understanding these tactics is crucial for cybersecurity readiness.
