In May 2025, a previously unknown threat cluster named InedibleOchotense, assessed as Russia-aligned and weakly related to the Sandworm APT group, initiated spear-phishing campaigns targeting Ukrainian entities. The attackers impersonated ESET, a Slovak cybersecurity company widely used in Ukraine, by sending spear-phishing emails and Signal messages containing links to trojanized ESET installers hosted on deceptive domains like esetsmart[.]com. These installers deploy the legitimate ESET AV Remover tool alongside a malicious C# backdoor called Kalambur (also known as SUMBUR). Kalambur establishes command-and-control communications over the Tor network, enhancing anonymity and evasion. Additionally, the malware can drop OpenSSH and enable Remote Desktop Protocol (RDP) access on port 3389, facilitating persistent remote access and lateral movement within compromised networks. The campaign exploits the trust in ESET’s brand and software to bypass user suspicion. The threat actor shares tactical overlaps with Sandworm’s BACKORDER-related campaigns and sub-clusters UAC-0212 and UAC-0125, known for destructive wiper malware attacks in Ukraine’s government, energy, logistics, and grain sectors. While the email lure is written in Ukrainian, the presence of a Russian word suggests possible translation errors or operational nuances. The campaign’s medium severity reflects its targeted nature, the use of legitimate software as a delivery mechanism, and the capabilities for stealthy, persistent access without requiring complex exploitation or user interaction beyond initial installation. This threat highlights ongoing cyber operations aligned with geopolitical conflict in Eastern Europe, leveraging supply chain and social engineering tactics to compromise critical sectors.

For European organizations, especially those with operational or strategic ties to Ukraine or using ESET security products, this threat poses significant risks. The trojanized installers can lead to unauthorized remote access, data exfiltration, espionage, and potential lateral movement within networks. The use of Tor for command-and-control complicates detection and attribution, increasing dwell time and potential damage. The enabling of OpenSSH and RDP access can facilitate further compromise, including deployment of additional malware or ransomware. Given the geopolitical context, organizations in critical infrastructure, government, defense, logistics, and energy sectors are at heightened risk. The campaign’s reliance on trusted software brands increases the likelihood of successful compromise, potentially undermining confidence in supply chain security. European entities supporting Ukraine or hosting Ukrainian diaspora communities may also be targeted for intelligence gathering or disruption. The medium severity indicates a credible threat that can cause moderate to severe operational and confidentiality impacts if not mitigated promptly.

1. Implement advanced email filtering and anti-phishing controls that detect and quarantine spear-phishing attempts, especially those impersonating trusted vendors like ESET. 2. Monitor and block access to suspicious domains such as esetsmart[.]com, esetscanner[.]com, and esetremover[.]com, and establish threat intelligence feeds to detect emerging malicious infrastructure. 3. Enforce strict software installation policies, requiring verification of digital signatures and hashes for security tools, and educate users to download software only from official vendor sites. 4. Deploy endpoint detection and response (EDR) solutions capable of identifying anomalous behaviors such as unexpected RDP or OpenSSH service activations and Tor network traffic. 5. Harden remote access configurations by disabling unnecessary RDP and SSH services, enforcing multi-factor authentication, and restricting access via network segmentation and firewall rules. 6. Conduct regular threat hunting exercises focused on detecting Kalambur backdoor indicators and related Sandworm activity patterns. 7. Collaborate with national cybersecurity authorities and CERTs to share intelligence and receive timely alerts on related campaigns. 8. Increase user awareness training emphasizing the risks of phishing and the importance of verifying unexpected security alerts purportedly from vendors. 9. Maintain up-to-date backups and incident response plans tailored to ransomware and backdoor intrusions to minimize operational disruption.