A previously unidentified threat group has been reported for impersonating the Slovak cybersecurity firm ESET in phishing attacks specifically aimed at Ukrainian organizations. This campaign, which began in May 2025, is recorded under the name InedibleOchotense, identified as being aligned with Russian interests.
According to ESET’s APT Activity Report for Q2 and Q3 of 2025, InedibleOchotense executed spear-phishing tactics using both email and Signal message platforms. These communications contained links directing targets to a compromised installer purportedly from ESET.
Evidence suggests that InedibleOchotense shares strategic similarities with previous campaigns documented by EclecticIQ and CERT-UA, focusing on a backdoor identified as BACKORDER and categorized by CERT-UA as UAC-0212. This group is believed to fit within the broader Sandworm hacking collective.
The nature of these phishing messages is noteworthy; although written in Ukrainian, the initial line features a Russian term, indicating a potential mishap with translation. The emails falsely claim that suspicious activity linked to the recipient’s email has been detected and warn of possible risks to their systems.
This campaign appears to leverage ESET’s widespread recognition and reputation to deceive users into installing malicious software disguised as legitimate tools available on domains like esetsmart.com, esetscanner.com, and esetremover.com.
The malicious installer not only installs a genuine ESET AV Remover but also deploys a variant of a backdoor called Kalambur, capable of utilizing the Tor network for command and control. In addition, it can install OpenSSH and facilitate remote access via RDP on port 3389.
Furthermore, CERT-UA recently tied a nearly identical operation to another subgroup within Sandworm, designated UAC-0125, marking a continuous pattern of phishing to malware conversion seen in these cyber campaigns.
In related news, ESET reports ongoing destructive malware strategies employed by Sandworm in Ukraine, including the recent surge of wiper malware such as ZEROLOT and Sting, which have targeted various sectors including government, energy, and logistics.
Additionally, the threat group known as RomCom, another Russian-linked actor, has been confirmed to exploit a WinRAR vulnerability in their attacks on diverse sectors including finance and manufacturing. RomCom’s activities show a shift from direct profit-driven malware to utilizing their tools in alignment with geopolitical objectives, closely monitoring developments in the Ukraine conflict.
Overall, the recent wave of phishing attacks, wiper incidents, and the use of vulnerabilities highlight the persistent and evolving cyber threats faced in the region.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.