Russian hackers impersonate ESET in phishing campaign targeting Ukraine

A new cyber campaign has used fake ESET installers to distribute a backdoor malware called Kalambur against Ukrainian organizations.

What happened

According to The Hacker News, cybersecurity researchers have identified a previously unknown threat group, dubbed InedibleOchotense, running phishing and malware attacks that impersonate Slovak cybersecurity firm ESET. Detected in May 2025, the group has been linked to Russia-aligned activity targeting Ukrainian entities.

ESET’s APT Activity Report Q2–Q3 2025 says that the attackers distributed trojanized ESET installers through spear-phishing emails and Signal messages. These communications claimed to alert recipients about a “suspicious process” linked to their email address and urged them to install an “ESET tool” to resolve the issue. The fake installers were hosted on spoofed domains such as esetsmart[.]com, esetscanner[.]com, and esetremover[.]com.

Going deeper

Once downloaded, the malicious installer deployed both the legitimate ESET AV Remover and a C# backdoor named Kalambur (also known as SUMBUR). The malware uses the Tor network for command-and-control communications and can enable Remote Desktop Protocol (RDP) access on port 3389. It can also install OpenSSH, giving attackers persistent remote access to compromised systems.

ESET researchers found tactical overlaps between InedibleOchotense and other campaigns linked to Russia’s Sandworm group (APT44). These overlaps include previously observed backdoors such as BACKORDER and UAC-0212. However, ESET has not confirmed whether InedibleOchotense is a direct offshoot of Sandworm.

CERT-UA, Ukraine’s Computer Emergency Response Team, reported similar campaigns attributed to UAC-0125, another Sandworm sub-cluster, suggesting that multiple related operations are active against Ukrainian targets.

What was said

“InedibleOchotense is a Russia-aligned threat actor that is weakly related to Sandworm, and that overlaps with Sandworm's BACKORDER-related campaign and UAC-0212,” said Matthieu Faou, senior malware researcher at ESET. He added that while some similarities exist with the UAC-0125 activity documented by CERT-UA, the connection remains unconfirmed.

ESET also reported ongoing destructive activity by Sandworm, including recent ZEROLOT and Sting wiper attacks targeting universities and organizations across Ukraine’s government, energy, and logistics sectors.

The big picture

According to Industrial Cyber, cyberespionage pressure across Europe continues to escalate, driven by Russia-aligned groups expanding their operations. The publication noted that “governmental entities remained a primary focus of cyberespionage,” and even non-Ukrainian targets “exhibited strategic or operational links to Ukraine,” proving how central the country has become to Russian intelligence efforts. It added that “Gamaredon continued to be the most active threat actor operating within Ukraine,” while Sandworm “sustained its destructive campaigns” against sectors including energy, logistics, and grain.

FAQs

What is the Kalambur backdoor, and how does it work?

Kalambur is a C#-based backdoor that communicates through the Tor network, allowing attackers to control infected machines, install additional tools, and enable remote desktop access.

Why do attackers impersonate cybersecurity companies like ESET?

By mimicking a trusted brand, attackers increase the likelihood that targets will download and execute malicious software, believing it to be legitimate security software.

Who is Sandworm, and how are they connected to this attack?

Sandworm (APT44) is a Russia-linked hacking group known for destructive campaigns against Ukraine. InedibleOchotense appears to share tools and methods with Sandworm sub-clusters like UAC-0212 and UAC-0125.

What sectors have been targeted by these related campaigns?

Recent operations have targeted Ukraine’s government, energy, logistics, and education sectors, as well as European financial and defense organizations through associated groups like RomCom.

How can organizations defend against Trojanized installer attacks?

Verifying software downloads directly from official vendor domains, maintaining endpoint monitoring, and implementing code-signature validation are defenses against impersonation-based threats.