Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine

A previously unknown threat activity cluster has been observed impersonating Slovak cybersecurity company ESET as part of phishing attacks targeting Ukrainian entities.

The campaign, detected in May 2025, is tracked by the security outfit under the moniker InedibleOchotense, describing it as Russia-aligned.

“InedibleOchotense sent spear-phishing emails and Signal text messages, containing a link to a trojanized ESET installer, to multiple Ukrainian entities,” ESET said in its APT Activity Report Q2 2025–Q3 2025 shared with The Hacker News.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

InedibleOchotense is assessed to share tactical overlaps with a campaign documented by EclecticIQ that involved the deployment of a backdoor called BACKORDER and by CERT-UA as UAC-0212, which it describes as a sub-cluster within the Sandworm (aka APT44) hacking group.

While the email message is written in Ukrainian, ESET said the first line uses a Russian word, likely indicating a typo or a translation error. The email, which purports to be from ESET, claims its monitoring team detected a suspicious process associated with their email address and that their computers might be at risk.

The activity is an attempt to capitalize on the widespread use of ESET software in the country and its brand reputation to trick recipients into installing malicious installers hosted on domains such as esetsmart[.]com, esetscanner[.]com, and esetremover[.]com.

The installer is designed to deliver the legitimate ESET AV Remover, alongside a variant of a C# backdoor dubbed Kalambur (aka SUMBUR), which uses the Tor anonymity network for command-and-control. It’s also capable of dropping OpenSSH and enabling remote access via the Remote Desktop Protocol (RDP) on port 3389.

It’s worth noting that CERT-UA, in a report published last month, attributed a nearly identical campaign to UAC-0125, another sub-cluster within Sandworm.

Sandworm Wiper Attacks in Ukraine

Sandworm, per ESET, has continued to mount destructive campaigns in Ukraine, launching two wiper malware tracked as ZEROLOT and Sting aimed at an unnamed university in April 2025, followed by the deployment of multiple data-wiping malware variants targeting government, energy, logistics, and grain sectors.

“During this period, we observed and confirmed that the UAC-0099 group conducted initial access operations and subsequently transferred validated targets to Sandworm for follow-up activity,” the company said. “These destructive attacks by Sandworm are a reminder that wipers very much remain a frequent tool of Russia-aligned threat actors in Ukraine.”

RomCom Exploits WinRAR 0-Day in Attacks

Another Russia-aligned threat actor of note that has been active during the time period is RomCom (aka Storm-0978, Tropical Scorpius, UNC2596, or Void Rabisu), which launched spear-phishing campaigns in mid-July 2025 that weaponized a WinRAR vulnerability (CVE-2025-8088, CVSS score: 8.8) as part of attacks targeting financial, manufacturing, defense, and logistics companies in Europe and Canada.

“Successful exploitation attempts delivered various backdoors used by the RomCom group, specifically a SnipBot [aka SingleCamper or RomCom RAT 5.0] variant, RustyClaw, and a Mythic agent,” ESET said.

In a detailed profile of RomCom in late September 2025, AttackIQ characterized the hacking group as closely keeping an eye out for geopolitical developments surrounding the war in Ukraine, and leveraging them to carry out credential harvesting and data exfiltration activities likely in support of Russian objectives.

“RomCom was initially developed as an e-crime commodity malware, engineered to facilitate the deployment and persistence of malicious payloads, enabling its integration into prominent and extortion-focused ransomware operations,” security researcher Francis Guibernau said. “RomCom transitioned from a purely profit-driven commodity to become a utility leveraged in nation-state operations.”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.