Recent phishing attacks aimed at Ukrainian entities have been attributed to a newly recognized cyber threat group called InedibleOchotense. This campaign, which commenced in May 2025, has reportedly been impersonating the reputable Slovak cybersecurity firm ESET in an effort to deceive potential victims.
ESET has classified InedibleOchotense as a threat actor aligned with Russia. The group is known for its use of spear-phishing emails and direct messages sent via the Signal app, all containing links to malicious versions of ESET installers. This activity has been detailed in ESET’s APT Activity Report for the period covering Q2 2025 to Q3 2025.
The phishing tactics employed by InedibleOchotense have raised alarms. Emails are reportedly crafted in Ukrainian but contain Russian terms, indicating possible errors in translation that may serve to confuse recipients. The phishing messages falsely warn users of suspicious activity detected on their computers, prompting them to download the compromised ESET installers. The malicious software is hosted on domains that mimic legitimacy, such as esetsmart[.]com, esetscanner[.]com, and esetremover[.]com. Once installed, the software provides a legitimate ESET product while simultaneously deploying a C# backdoor known as Kalambur, also referred to as SUMBUR, which facilitates further exploitation.
Kalambur is built to utilize the Tor network for command-and-control operations and can enable remote access via OpenSSH and Remote Desktop Protocol (RDP) over port 3389. This strategy highlights the group’s attempt to leverage ESET’s strong brand presence in Ukraine, effectively misleading users into compromising their systems.
There are tactical similarities between InedibleOchotense and other known operations associated with the Sandworm hacking group. Previously, CERT-UA linked a nearly identical phishing operation to UAC-0125, a subgroup within Sandworm. Matthieu Faou, a senior malware researcher at ESET, noted that while there are overlaps between these groups, a conclusive link has yet to be established.
While InedibleOchotense is actively deploying phishing attacks, the Sandworm group is also ramping up its malware operations in Ukraine. Notably, ESET reported two significant wiper malware incidents—named ZEROLOT and Sting—targeting university systems and various critical sectors, including government and energy.
In addition to InedibleOchotense and Sandworm, another group called RomCom has been noted for its activity, taking advantage of a vulnerability in WinRAR (CVE-2025-8088) to execute phishing campaigns against companies in Europe and Canada. RomCom has shifted its motivations from purely financial gains to aligning its activities with national interests amid the ongoing conflict in Ukraine.
As the cybersecurity landscape continues to change, raising awareness about these phishing threats and backdoor intrusions is crucial, especially for organizations operating in vulnerable regions like Ukraine. With heightened vigilance and cybersecurity measures, it is possible to mitigate these threats and protect sensitive information from malicious actors.