- A Russia-aligned threat group called InedibleOchotense has launched phishing attacks impersonating Cybersecurity firm ESET targeting Ukrainian organizations since May 2025.
- The attacks use spear-phishing emails and messages with links to a trojanized ESET installer designed to install a C# backdoor named Kalambur, which employs the Tor network for command-and-control.
- The threat is linked to the Sandworm Hacking group, known for destructive wiper Malware attacks in Ukraine across various sectors including government and energy.
- The RomCom group exploited a critical WinRAR vulnerability in July 2025 in spear-phishing campaigns targeting European and Canadian companies, deploying multiple backdoors.
Since May 2025, a previously unknown Russia-aligned cyber threat cluster named InedibleOchotense has conducted spear-phishing attacks targeting Ukrainian organizations. The group impersonated ESET, a Slovak cybersecurity firm, by sending emails and Signal text messages with links to malicious installers mimicking ESET software, as stated in ESET’s APT Activity Report Q2 2025–Q3 2025.
These fake installers delivered the authentic ESET AV Remover tool alongside a C# backdoor known as Kalambur or SUMBUR, which leverages the Tor Anonymity network for command-and-control operations. The malware can also install OpenSSH and activate remote desktop access via RDP on port 3389. Domains such as esetsmart[.]com, esetscanner[.]com, and esetremover[.]com were used to host the malicious software.
InedibleOchotense shows connections to the Sandworm group (also called APT44), which CERT-UA has subdivided into clusters including UAC-0212 and UAC-0125. Sandworm is infamous for its wiper malware campaigns in Ukraine. In April 2025, it deployed wipers named ZEROLOT and Sting targeting a university, followed by further destructive malware attacks on government, energy, logistics, and grain sectors.
Separately, another Russia-aligned actor, RomCom (also known as Storm-0978 or UNC2596), conducted spear-phishing operations in mid-July 2025 using a zero-day vulnerability in WinRAR (CVE-2025-8088, CVSS score 8.8). The exploits targeted financial, manufacturing, defense, and logistics firms in Europe and Canada. Successful intrusions installed backdoors such as SnipBot, RustyClaw, and a Mythic agent, as reported by AttackIQ and ESET.
RomCom has evolved from a cybercrime tool to a utility supporting nation-state objectives, adapting its operations based on geopolitical developments linked to the ongoing conflict in Ukraine, as noted by security researchers.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Prediction Markets Bet $1.1M on Elon Musk’s Tesla Pay Package Approval
- Aave Horizon Adds VanEck’s VBILL Tokenized Fund Collateral
- Bitdefender Named Representative Vendor in Gartner MDR Guide 2025
- Ripple RLUSD Launch Boosts Valuation to $40B with Mastercard Deals
- Hedera to Deprecate Alpha State Proofs by Feb 2026
