ESET Brand Exploited in Phishing Campaign Against Ukrainian Entities
Recent cybersecurity threats have emerged from a group known as InedibleOchotense, which is impersonating ESET, a Slovak cybersecurity firm. This phishing campaign targets Ukrainian entities and was identified in May 2025. The activities of InedibleOchotense are believed to align with Russian interests.
ESET Brand Exploited in Phishing Campaign
According to ESET, the attackers have employed spear-phishing emails and messages via Signal. These messages appear to come from ESET’s monitoring team, claiming suspicious activities on the recipients’ computers. Notably, the emails predominantly use the Ukrainian language but contain a Russian word, potentially indicating a translation oversight.
Details of the Phishing Attack
The phishing messages include links that direct victims to domains such as:
- esetsmart[.]com
- esetscanner[.]com
- esetremover[.]com
When clicked, these links deliver a malicious installer disguised as ESET software. This tool includes legitimate ESET AV Remover but also deploys a C# backdoor variant named Kalambur. This backdoor enables remote access through the Remote Desktop Protocol (RDP) and communicates via the Tor network.
Connections to Other Cyber Threats
ESET’s APT Activity Report notes that InedibleOchotense shares some tactics with previous campaigns linked to the Russian Sandworm hacking group, also known as APT44. There are indicators that suggest connections to a backdoor called BACKORDER. Furthermore, this campaign aligns with a sub-cluster observed by CERT-UA, known as UAC-0212.
CERT-UA has recently connected a similar campaign to another sub-cluster, UAC-0125. Matthieu Faou, a senior malware researcher at ESET, commented on these developments, highlighting the weak ties between InedibleOchotense and Sandworm. Despite some similarities with the UAC-0125 campaign, ESET has not confirmed these connections independently.
Recent Cyber Activities in Ukraine
Sandworm’s destructive activities in Ukraine remain a significant concern. Earlier in 2025, new malware types such as ZEROLOT and Sting targeted a university. Additionally, various data-wiping threats targeted critical infrastructure sectors, including government and energy.
The report indicates that another group, UAC-0099, facilitated initial access for Sandworm’s operations. During this period, another group aligned with Russian interests, known as RomCom, has also been active.
RomCom’s Involvement
RomCom has been executing spear-phishing campaigns exploiting a WinRAR vulnerability (CVE-2025-8088) since mid-July 2025. Their targets include finance and defense sectors across Europe and Canada. Successful breaches have led to the deployment of backdoors such as SnipBot and RustyClaw.
Initially focused on e-crime activities, RomCom has shifted to furthering nation-state goals amid ongoing geopolitical tensions. Security researcher Francis Guibernau suggests this change is driven by the current conflict in Ukraine.
As these threat actors evolve, the implications for cybersecurity in Ukraine and beyond remain severe and far-reaching. The resilience and vigilance of cybersecurity measures are more critical than ever in confronting these sophisticated threats.
