Full Report
A previously unknown threat activity cluster has been observed impersonating Slovak cybersecurity company ESET as part of phishing attacks targeting Ukrainian entities. The campaign, detected in May 2025, is tracked by the security outfit under the moniker InedibleOchotense, describing it as Russia-aligned. "InedibleOchotense sent spear-phishing emails and Signal text messages, containing a link
Analysis Summary
# Threat Actor: InedibleOchotense
## Attribution & Identity
* **Identification:** Previously unknown threat activity cluster tracked by ESET.
* **Attribution:** Russia-aligned.
* **Known Aliases/Associations:** Assessed to share tactical overlaps with campaigns documented by EclecticIQ involving the **BACKORDER** backdoor, and by CERT-UA as **UAC-0212**. UAC-0212 is described as a sub-cluster within the **Sandworm (aka APT44)** hacking group. CERT-UA has attributed a nearly identical campaign to **UAC-0125**, another Sandworm sub-cluster.
## Activity Summary
* **Recent Campaigns:** Detected in May 2025, conducting spear-phishing attacks targeting Ukrainian entities.
* **Operation Description:** Impersonated the Slovak cybersecurity company ESET to distribute trojanized ESET installers. Emails, written primarily in Ukrainian (but containing a Russian word), claimed ESET monitoring detected suspicious activity on the recipient's computer.
## Tactics, Techniques & Procedures
* **Initial Access:** Spear-phishing via email and Signal text messages.
* **Execution/Delivery:** Hosted malicious installers on domains such as `esetsmart[.]com`, `esetscanner[.]com`, and `esetremover[.]com`.
* **Masquerading:** Impersonating ESET and delivering legitimate ESET AV Remover alongside a malicious payload.
* **Payload Delivery:** Dropped a C# backdoor dubbed **Kalambur (aka SUMBUR)**.
* **Command and Control (C2):** Utilizes the Tor anonymity network for C2 communication.
* **Persistence/Lateral Movement:** Capable of dropping OpenSSH and enabling remote access via the Remote Desktop Protocol (RDP) on port 3389.
## Targeting
* **Sectors:** Not explicitly detailed beyond "Ukrainian entities," but the tactics suggest targeting organizations using ESET security software widely.
* **Geography:** Ukraine.
* **Victims:** Multiple Ukrainian entities were targeted.
## Tools & Infrastructure
* **Malware Families Used:**
* Kalambur (aka SUMBUR) C# backdoor.
* OpenSSH (used for enabling RDP access).
* **Infrastructure (C2, domains, IPs):**
* Malicious hosting domains: `esetsmart[.]com` (defanged), `esetscanner[.]com` (defanged), `esetremover[.]com` (defanged).
* C2 mechanism: Tor anonymity network.
## Implications
The threat actor leverages the established trust and brand reputation of a major cybersecurity vendor (ESET) in the targeted region (Ukraine) for initial compromise. The deployment of Kalambur, combined with OpenSSH and RDP enablement, suggests objectives aligned with long-term espionage, persistent access, or potential data exfiltration/destructive operations, consistent with associated Russia-aligned groups like Sandworm.
## Mitigations
* Heightened scrutiny of unsolicited communication, especially urgent security alerts from familiar vendors.
* Verify the legitimacy of software installers, even if received via trusted channels, by downloading directly from vendor websites rather than embedded links.
* Monitor for unauthorized setup of OpenSSH or RDP access, especially configuration changes on port 3389.
* Monitor network traffic for connections utilizing the Tor network originating from internal hosts.