Recent phishing attacks targeting Ukrainian entities have been linked to a previously unidentified threat group known as InedibleOchotense. This campaign, which began in May 2025, impersonates the Slovak cybersecurity firm ESET to deceive its victims.
InedibleOchotense Campaign Overview
ESET identified InedibleOchotense as a Russia-aligned threat actor. The group has been sending spear-phishing emails and messages via Signal, containing links to trojanized ESET installers. This campaign was documented in ESET’s APT Activity Report for Q2 2025 to Q3 2025.
Phishing Tactics
- The emails were allegedly drafted in Ukrainian but included a Russian word, suggesting possible translation errors.
- The messages falsely claimed that suspicious activity was detected on the recipients’ computers, inducing them to download compromised ESET installers.
The malicious software is hosted on domains that appear legitimate, such as esetsmart[.]com, esetscanner[.]com, and esetremover[.]com. Upon installation, it delivers a legitimate ESET product along with a C# backdoor called Kalambur, also referred to as SUMBUR.
Kalambur Backdoor Features
- Utilizes the Tor network for command-and-control operations.
- Can deploy OpenSSH for secure connections.
- Enables remote access through the Remote Desktop Protocol (RDP) on port 3389.
This approach underscores the exploitation of ESET’s strong brand recognition in Ukraine, aiming to mislead users into compromising their systems.
Relation to Other Threat Campaigns
InedibleOchotense shows tactical similarities to other documented operations associated with the Sandworm hacking group. CERT-UA previously linked a nearly identical phishing campaign to UAC-0125, another subgroup within Sandworm.
Matthieu Faou, a senior malware researcher at ESET, emphasized the nuances of these groups, noting that while InedibleOchotense features overlaps with Sandworm-related campaigns, a definitive link remains unverified.
Ongoing Threats in Ukraine
While InedibleOchotense is active, the Sandworm group continues to escalate its destructive operations in Ukraine. ESET reported two significant wiper malware deployments, ZEROLOT and Sting, targeting a university and various key sectors, including government and energy.
Other Notable Threat Actors
Another group, known as RomCom, has also been active around the same time. RomCom exploited a vulnerability in WinRAR (CVE-2025-8088) to launch phishing campaigns against companies in Europe and Canada. This group is focused on geopolitical dynamics related to the ongoing conflict in Ukraine.
RomCom’s operations have evolved from purely financial motivations to objectives aligned with nation-state activities, utilizing various backdoors to achieve their goals.
As the cybersecurity landscape continues to evolve, awareness of such phishing threats and backdoor deployments is vital, especially for organizations in vulnerable regions like Ukraine.
