Content
A new cyber threat cluster has emerged, impersonating the Slovak cybersecurity firm ESET in phishing attempts aimed at Ukrainian organizations. Detected in May 2025, this campaign is tracked by ESET under the codename InedibleOchotense and is believed to be aligned with Russian interests. Attackers sent spear-phishing emails and Signal messages containing links to tampered ESET installers to various targets across Ukraine. These communications, although written mostly in Ukrainian, oddly included a Russian word in the first line, suggesting either a translation slip or some carelessness in the message crafting.
The phishing emails falsely claim that ESET’s monitoring team detected a suspicious process linked to the recipient’s email, warning that their system might be compromised. This tactic leverages ESET's strong reputation and widespread use in Ukraine to trick victims into downloading malicious software from domains mimicking legitimate ESET services, like esetsmart[.]com and esetremover[.]com. The compromised installer not only includes the authentic ESET AV Remover tool but also installs a backdoor dubbed Kalambur (also known as SUMBUR). This backdoor communicates via the Tor network for anonymity and can deploy OpenSSH and activate remote desktop access on port 3389, enabling remote control of infected machines.
Further investigation links this activity to previously documented campaigns, like those involving the BACKORDER backdoor and clusters monitored by CERT-UA under UAC-0212 and UAC-0125, which are subgroups of the notorious Sandworm (APT44) hacking collective. Sandworm continues to conduct destructive cyber attacks in Ukraine, such as the deployment of wiper malware ZEROLOT and Sting against an unnamed university in April 2025. These attacks have extended to various sectors including government, energy, logistics, and grain industries. ESET also notes that UAC-0099 facilitated initial access for Sandworm, underscoring the layered and collaborative nature of these threat actors.
Besides Sandworm’s activities, another Russia-linked group called RomCom (also known by several aliases) carried out spear-phishing campaigns in mid-July 2025. RomCom exploited a zero-day vulnerability in WinRAR (CVE-2025-8088) with a high severity rating, targeting financial, manufacturing, defense, and logistics firms across Europe and Canada. Successful exploits installed multiple backdoors and remote access tools linked to RomCom, such as SnipBot, RustyClaw, and a Mythic agent. Analysts point out that RomCom initially functioned as a cybercrime commodity malware but has evolved into a utility for Russian state-backed operations, focusing on data theft and credential harvesting related to geopolitical events surrounding the Ukraine conflict.
The increasing sophistication and persistence of these campaigns highlight an ongoing cyber warfare dimension to the conflict in Ukraine. Attackers are leveraging brand impersonation, zero-day vulnerabilities, and multi-stage malware deployments to infiltrate critical systems. Defensive strategies remain challenging due to the use of legitimate tools alongside malicious components, and the exploitation of trusted software brands like ESET. This evolving threat landscape demands heightened vigilance, improved detection capabilities, and coordinated responses across the cybersecurity community and affected sectors to mitigate ongoing risks.
