A Russia-aligned threat actor has been impersonating cybersecurity company ESET in a series of phishing attacks against Ukrainian organizations.
The threat actor, which is tracked under the name “InedibleOchotense”, sent spear-phishing emails and Signal messages to multiple Ukrainian entities, said ESET. The messages warned users of suspicious activity linked to their email account and urged them to download an “official threat removal software.”
However, the links in the messages lead victims to download a trojanized ESET installer hosted on a fake ESET domain, such as esetsmart[.]com, esetscanner[.]com, and esetremover[.]com. This installer would deliver a legitimate ESET product alongside a variant of the Kalambur backdoor.
Once installed, the attackers could use the Kalambur backdoor to carry out command-and-control, drop OpenSSH, and remotely access the compromised system.
ESET researchers were able to attribute the attack to the Russia-aligned threat group partly due to a type or translation error within the message body. While the email was written in Ukrainian, the first line used a Russian word, the company said.
Destruction Over Espionage
InedibleOchotense is reported to have links with the Russian state-backed hacking group Sandworm. The recently observed phishing attack shares tactical similarities with a Sandworm campaign documented by EclecticIQ earlier this year, in which the attackers impersonated Microsoft in order to deploy a backdoor called BACKORDER.
In the Sandworm attack, the backdoor enabled attackers to exfiltrate sensitive data from Ukrainian Windows users and conduct cyber espionage.
The Sandworm group has carried out multiple cyberattacks against Ukrainian entities in the past, including the 2015 power grid blackout, the 2017 NotPetya malware attack, and last year’s attack against telecom provider Kyivstar.
In April this year, the group carried out two wiper malware attacks targeted towards a Ukrainian university. Most recently, they deployed multiple data-wiping malware variants against Ukraine’s government, energy, logistics, and grain sectors—the latter of which is a key source of export revenue for the country.
According to ESET, these latest attacks have been focussed on destruction, rather than cyberespionage, with the likely objective being the weakening of the Ukrainian war economy.
“These destructive attacks by Sandworm are a reminder that wipers very much remain a frequent tool of Russia-aligned threat actors in Ukraine,” said ESET. “Although there have been reports suggesting an apparent refocusing on espionage activities by such groups in late 2024, we have seen Sandworm conducting wiper attacks against Ukrainian entities on a regular basis since the start of 2025.”
