Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine - The Hacker News

Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine Ravie LakshmananNov 06, 2025Malware / Vulnerability A previously unknown threat activity cluster has been observed impersonating Slovak cybersecurity company ESET as part of phishing attacks targeting Ukrainian entities. The campaign, detected in May 2025, is tracked by the security outfit under the moniker InedibleOchotense, describing it as Russia-aligned. "InedibleOchotense sent spear-phishing emails and Signal text messages, containing a link to a trojanized ESET installer, to multiple Ukrainian entities," ESET said in its APT Activity Report Q2 2025–Q3 2025 shared with The Hacker News. InedibleOchotense is assessed to share tactical overlaps with a campaign documented by EclecticIQ that involved the deployment of a backdoor called BACKORDER and by CERT-UA as UAC-0212, which it describes as a sub-cluster within the Sandworm (aka APT44) hacking group. While the email message is written in Ukrainian, ESET said the first line uses a Russian word, likely indicating a typo or a translation error. The email, which purports to be from ESET, claims its monitoring team detected a suspicious process associated with their email address and that their computers might be at risk. The activity is an attempt to capitalize on the widespread use of ESET software in the country and its brand reputation to trick recipients into installing malicious installers hosted on domains such as esetsmart[.]com, esetscanner[.]com, and esetremover[.]com. The installer is designed to deliver the legitimate ESET AV Remover, alongside a variant of a C# backdoor dubbed Kalambur (aka SUMBUR), which uses the Tor anonymity network for command-and-control. It's also capable of dropping OpenSSH and enabling remote access via the Remote Desktop Protocol (RDP) on port 3389. It's worth noting that CERT-UA, in a report published last month, attributed a nearly identical campaign to UAC-0125, another sub-cluster within Sandworm. "InedibleOchotense is a Russia-aligned threat actor that is weakly related to Sandworm, and that overlaps with Sandworm's BACKORDER-related campaign and UAC-0212," Matthieu Faou, senior malware researcher at ESET, told The Hacker News. "While there are some similarities with what was reported by CERT-UA as UAC-0125, we cannot independently confirm the link." Sandworm Wiper Attacks in Ukraine Sandworm, per ESET, has continued to mount destructive campaigns in Ukraine, launching two wiper malware tracked as ZEROLOT and Sting aimed at an unnamed university in April 2025, followed by the deployment of multiple data-wiping malware variants targeting government, energy, logistics, and grain sectors. "During this period, we observed and confirmed that the UAC-0099 group conducted initial access operations and subsequently transferred validated targets to Sandworm for follow-up activity," the company said. "These destructive attacks by Sandworm are a reminder that wipers very much remain a frequent tool of Russia-aligned threat actors in Ukraine." RomCom Exploits WinRAR 0-Day in Attacks Another Russia-aligned threat actor of note that has been active during the time period is RomCom (aka Storm-0978, Tropical Scorpius, UNC2596, or Void Rabisu), which launched spear-phishing campaigns in mid-July 2025 that weaponized a WinRAR vulnerability (CVE-2025-8088, CVSS score: 8.8) as part of attacks targeting financial, manufacturing, defense, and logistics companies in Europe and Canada. "Successful exploitation attempts delivered various backdoors used by the RomCom group, specifically a SnipBot [aka SingleCamper or RomCom RAT 5.0] variant, RustyClaw, and a Mythic agent," ESET said. In a detailed profile of RomCom in late September 2025, AttackIQ characterized the hacking group as closely keeping an eye out for geopolitical developments surrounding the war in Ukraine, and leveraging them to carry out credential harvesting and data exfiltration activities likely in support of Russian objectives. "RomCom was initially developed as an e-crime commodity malware, engineered to facilitate the deployment and persistence of malicious payloads, enabling its integration into prominent and extortion-focused ransomware operations," security researcher Francis Guibernau said. "RomCom transitioned from a purely profit-driven commodity to become a utility leveraged in nation-state operations." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, ESET, Malware, Phishing, RomCom, Sandworm, Ukraine, Vulnerability, winrar Trending News ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Load More ▼ Popular Resources 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Identity Controls Checklist: Find Missing Protections in Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps