A new cyber campaign has used fake ESET installers to distribute a backdoor malware called Kalambur against Ukrainian organizations.
According to The Hacker News, cybersecurity researchers have identified a previously unknown threat group, dubbed InedibleOchotense, running phishing and malware attacks that impersonate Slovak cybersecurity firm ESET. Detected in May 2025, the group has been linked to Russia-aligned activity targeting Ukrainian entities.
ESET’s APT Activity Report Q2–Q3 2025 says that the attackers distributed trojanized ESET installers through spear-phishing emails and Signal messages. These communications claimed to alert recipients about a “suspicious process” linked to their email address and urged them to install an “ESET tool” to resolve the issue. The fake installers were hosted on spoofed domains such as esetsmart[.]com, esetscanner[.]com, and esetremover[.]com.
Once downloaded, the malicious installer deployed both the legitimate ESET AV Remover and a C# backdoor named Kalambur (also known as SUMBUR). The malware uses the Tor network for command-and-control communications and can enable Remote Desktop Protocol (RDP) access on port 3389. It can also install OpenSSH, giving attackers persistent remote access to compromised systems.
ESET researchers found tactical overlaps between InedibleOchotense and other campaigns linked to Russia’s Sandworm group (APT44). These overlaps include previously observed backdoors such as BACKORDER and UAC-0212. However, ESET has not confirmed whether InedibleOchotense is a direct offshoot of Sandworm.
CERT-UA, Ukraine’s Computer Emergency Response Team, reported similar campaigns attributed to UAC-0125, another Sandworm sub-cluster, suggesting that multiple related operations are active against Ukrainian targets.
“InedibleOchotense is a Russia-aligned threat actor that is weakly related to Sandworm, and that overlaps with Sandworm's BACKORDER-related campaign and UAC-0212,” said Matthieu Faou, senior malware researcher at ESET. He added that while some similarities exist with the UAC-0125 activity documented by CERT-UA, the connection remains unconfirmed.
ESET also reported ongoing destructive activity by Sandworm, including recent ZEROLOT and Sting wiper attacks targeting universities and organizations across Ukraine’s government, energy, and logistics sectors.
According to Industrial Cyber, cyberespionage pressure across Europe continues to escalate, driven by Russia-aligned groups expanding their operations. The publication noted that “governmental entities remained a primary focus of cyberespionage,” and even non-Ukrainian targets “exhibited strategic or operational links to Ukraine,” proving how central the country has become to Russian intelligence efforts. It added that “Gamaredon continued to be the most active threat actor operating within Ukraine,” while Sandworm “sustained its destructive campaigns” against sectors including energy, logistics, and grain.
Kalambur is a C#-based backdoor that communicates through the Tor network, allowing attackers to control infected machines, install additional tools, and enable remote desktop access.
By mimicking a trusted brand, attackers increase the likelihood that targets will download and execute malicious software, believing it to be legitimate security software.
Sandworm (APT44) is a Russia-linked hacking group known for destructive campaigns against Ukraine. InedibleOchotense appears to share tools and methods with Sandworm sub-clusters like UAC-0212 and UAC-0125.
Recent operations have targeted Ukraine’s government, energy, logistics, and education sectors, as well as European financial and defense organizations through associated groups like RomCom.
Verifying software downloads directly from official vendor domains, maintaining endpoint monitoring, and implementing code-signature validation are defenses against impersonation-based threats.