Trojanized ESET Installers Launch Kalambur Backdoor in Ukraine Phishing Attacks

Phishing attacks continue to threaten Ukrainian entities, and recent findings have linked these attacks to a new threat group called InedibleOchotense. This campaign began in May 2025 and seeks to deceive victims by impersonating the Slovak cybersecurity company ESET.

InedibleOchotense Campaign Overview

ESET has identified InedibleOchotense as a threat actor aligned with Russian interests. This group has been active in sending spear-phishing emails and messages, notably through the Signal platform. Recipients are often unknowingly lured into downloading trojanized ESET installers.

Phishing Tactics Employed

• Emails are primarily drafted in Ukrainian with Russian words, indicating possible translation errors.
• Messages claim that suspicious activity has been detected on the recipient’s computer.
• The installer is hosted on seemingly legitimate domains like esetsmart[.]com and esetremover[.]com.

When installed, these trojans deliver a legitimate ESET product alongside a backdoor known as Kalambur, also referred to as SUMBUR. This malware significantly exploits ESET’s strong brand recognition in Ukraine.

Features of the Kalambur Backdoor

• Utilizes the Tor network for its command-and-control operations.
• Can deploy OpenSSH to establish secure connections.
• Enables remote access via Remote Desktop Protocol (RDP) on port 3389.

This approach illustrates how InedibleOchotense aims to mislead users into compromising their systems through trusted channels.

Relation to Other Threat Campaigns

InedibleOchotense demonstrates tactical similarities with other operations associated with the Sandworm hacking group. CERT-UA has previously connected a similar phishing campaign to UAC-0125, another subgroup within Sandworm. Matthieu Faou, a senior researcher at ESET, notes the complexities of these groups, maintaining that while overlaps exist, no definitive links have been established.

Ongoing Threats in Ukraine

While InedibleOchotense is active, other groups continue to pose threats in Ukraine. The Sandworm group has intensified its attacks, deploying destructive wiper malware such as ZEROLOT and Sting, targeting universities and essential sectors like government and energy.

Other Notable Threat Actors

Another group, RomCom, has recently emerged as a significant player in the cyber threat landscape. RomCom exploited a vulnerability in WinRAR (CVE-2025-8088) to initiate phishing campaigns against companies in Europe and Canada. Their focus has shifted from financial gain to objectives that align with state-sponsored activities, reflecting the ongoing geopolitical conflict in Ukraine.

As the cybersecurity landscape evolves, it is critical for organizations, especially in vulnerable regions like Ukraine, to remain vigilant against phishing threats and backdoor deployments.