Executive Summary

A sophisticated cyber-espionage campaign has been identified targeting Ukrainian organizations through the use of trojanized ESET installers, which surreptitiously deploy the Kalambur backdoor. This operation, attributed to a Russia-aligned threat cluster known as InedibleOchotense, leverages highly convincing phishing lures that impersonate the reputable Slovak cybersecurity vendor ESET. The attackers utilize a combination of spear-phishing emails and instant messaging platforms to distribute malicious links, leading victims to download compromised security tools. The campaign demonstrates advanced tradecraft, including the use of legitimate software as a decoy, multi-stage payload delivery, and the employment of anonymizing networks for command-and-control. The observed activity is consistent with the tactics, techniques, and procedures (TTPs) of the notorious Sandworm (APT44) group and its sub-clusters, which have a well-documented history of targeting Ukrainian critical infrastructure. This report provides a comprehensive technical analysis of the attack chain, threat actor profile, exploitation in the wild, victimology, and actionable mitigation strategies.

Threat Actor Profile

The campaign is attributed to InedibleOchotense, a Russia-aligned advanced persistent threat (APT) cluster with significant overlaps to Sandworm (APT44) and its sub-clusters, including UAC-0212 and UAC-0125. Sandworm is a highly resourced and persistent threat group, historically linked to destructive operations such as the NotPetya wiper, BlackEnergy, and Industroyer attacks. The group is known for its focus on Ukrainian government, energy, and critical infrastructure sectors, often employing custom malware, supply chain attacks, and sophisticated social engineering. InedibleOchotense demonstrates operational security awareness, leveraging anonymized infrastructure, multi-stage payloads, and the abuse of trusted brands to maximize the success of their campaigns. The group’s tactics include the use of phishing lures in the local language, rapid infrastructure turnover, and the deployment of modular backdoors capable of persistent access and lateral movement.

Technical Analysis of Malware/TTPs

The attack chain begins with highly targeted spear-phishing emails and Signal messages, crafted in Ukrainian and occasionally containing Russian linguistic artifacts. These messages purport to originate from ESET’s monitoring team, warning recipients of suspicious activity on their systems and urging them to download a security tool for remediation. The provided links direct victims to domains such as esetsmart[.]com, esetscanner[.]com, and esetremover[.]com, which are designed to mimic legitimate ESET resources.

Upon execution, the trojanized installer delivers the authentic ESET AV Remover utility to avoid arousing suspicion. Concurrently, it deploys the Kalambur (also known as SUMBUR) backdoor, a C#-based implant with advanced capabilities. Kalambur establishes persistence on the host, leverages the Tor network for encrypted command-and-control (C2) communications, and drops OpenSSH binaries to facilitate remote access. The malware also enables Remote Desktop Protocol (RDP) on port 3389, providing the attackers with multiple avenues for interactive access and lateral movement within the compromised environment.

The backdoor’s modular architecture allows for dynamic tasking, including file exfiltration, credential harvesting, and the deployment of additional payloads. The use of Tor for C2 communications significantly complicates detection and attribution, as traffic is anonymized and obfuscated. The attackers further employ living-off-the-land techniques, utilizing legitimate system tools and binaries to evade endpoint detection and response (EDR) solutions.

The campaign’s infrastructure exhibits rapid turnover, with malicious domains registered and abandoned in quick succession to avoid blacklisting. The phishing lures are tailored to the Ukrainian context, increasing the likelihood of successful compromise among targeted organizations.

Exploitation in the Wild

The campaign has been observed in active exploitation against Ukrainian government agencies, energy providers, logistics companies, and organizations within the grain sector. Victims receive phishing emails and Signal messages containing links to the malicious domains. Upon execution of the trojanized installer, the Kalambur backdoor is deployed, granting the attackers persistent access to the victim’s network.

Post-compromise activity includes the establishment of remote access via RDP and SSH, lateral movement to additional hosts, and the exfiltration of sensitive data. The attackers demonstrate a high degree of operational discipline, often cleaning up artifacts and disabling security controls to maintain stealth. The use of legitimate security software as a decoy increases the likelihood of successful infection, particularly in environments where users are under stress or facing heightened threat levels.

The campaign is part of a broader escalation of Russian cyber operations against Ukraine, which includes destructive wiper attacks (such as ZEROLOT and Sting) and the exploitation of vulnerabilities in widely used software (e.g., WinRAR CVE-2025-8088 by the RomCom group). The targeting of critical infrastructure sectors underscores the strategic intent of the threat actors and the potential for significant operational disruption.

Victimology and Targeting

The primary targets of this campaign are Ukrainian government entities, energy sector organizations, logistics providers, and companies involved in the grain trade. The attackers exhibit a nuanced understanding of the Ukrainian threat landscape, crafting lures in the local language and timing attacks to coincide with periods of heightened geopolitical tension. While the current wave of attacks is focused on Ukraine, the use of ESET branding and the modular nature of the malware suggest the potential for expansion to other European Union member states and sectors of strategic interest to Russian intelligence.

The victimology aligns with the historical targeting patterns of Sandworm (APT44) and its sub-clusters, which have consistently prioritized organizations with critical national importance. The use of instant messaging platforms such as Signal for initial contact indicates an evolution in social engineering tactics, likely aimed at bypassing traditional email security controls.

Mitigation and Countermeasures

Organizations are strongly advised to implement a multi-layered defense strategy to mitigate the risk posed by this campaign. All access to the malicious domains esetsmart[.]com, esetscanner[.]com, and esetremover[.]com should be blocked at the network perimeter. Security teams should monitor for outbound connections to the Tor network and investigate any unexpected RDP (port 3389) or SSH activity, particularly on endpoints that do not typically require such services.

It is critical to validate the authenticity of all software installers, especially those received via unsolicited emails or instant messages. Endpoints should be configured to log and alert on the execution of unknown C# binaries and the installation of OpenSSH on Windows systems. User awareness training should emphasize the risks associated with downloading software from unofficial sources and the importance of verifying the legitimacy of security alerts.

Incident response teams should review endpoint and network logs for indicators of compromise associated with the Kalambur backdoor, including anomalous process creation, persistence mechanisms, and encrypted outbound traffic. Organizations are encouraged to leverage threat intelligence feeds to stay informed of emerging indicators and to participate in information-sharing initiatives with trusted partners.

References

The following sources provide additional technical details and context for this campaign:

The Hacker News: Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine (https://thehackernews.com/2025/11/trojanized-eset-installers-drop.html)

ESET APT Activity Report Q2 2025–Q3 2025 (https://www.eset.com/us/about/newsroom/research/eset-research-apt-report-april-september-2025/)

CERT-UA UAC-0212 and UAC-0125 advisories (https://cert.gov.ua/)

EclecticIQ: BACKORDER Campaign Analysis (https://www.eclecticiq.com/)

MITRE ATT&CK: Sandworm Team (G0034) (https://attack.mitre.org/groups/G0034/)

Security Affairs: Russia-linked APT InedibleOchotense impersonates ESET (https://securityaffairs.com/184303/apt/russia-linked-apt-inedibleochotense-impersonates-eset-to-deploy-backdoor-on-ukrainian-systems.html)

About Rescana

Rescana is a leading provider of third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber risks across their extended supply chain. Our platform leverages advanced threat intelligence, continuous monitoring, and automated workflows to deliver actionable insights and enhance organizational resilience. We are committed to supporting our customers in navigating the evolving threat landscape with confidence and agility.

For further information or to discuss this advisory in detail, please contact us at ops@rescana.com.