""InedibleOchotense sent spear-phishing emails and Signal text messages, containing a link to a trojanized ESET installer, to multiple Ukrainian entities," ESET said in its APT Activity Report Q2 2025-Q3 2025 shared with The Hacker News. The installer is designed to deliver the legitimate ESET AV Remover, alongside a variant of a C# backdoor dubbed Kalambur (aka SUMBUR), which uses the Tor anonymity network for command-and-control. It's also capable of dropping OpenSSH and enabling remote access via the Remote Desktop Protocol (RDP) on port 3389."
"While the email message is written in Ukrainian, ESET said the first line uses a Russian word, likely indicating a typo or a translation error. The email, which purports to be from ESET, claims its monitoring team detected a suspicious process associated with their email address and that their computers might be at risk. The activity is an attempt to capitalize on the widespread use of ESET software in the country and its brand reputation to trick recipients into installing malicious installers."
A previously unknown threat cluster tracked as InedibleOchotense conducted spear-phishing and Signal-based lures in May 2025 targeting Ukrainian entities by impersonating ESET. The campaign used trojanized ESET installers hosted on deceptive domains to deliver the legitimate ESET AV Remover alongside a C# backdoor named Kalambur (aka SUMBUR). Kalambur uses the Tor network for command-and-control and can drop OpenSSH and enable RDP on port 3389 to facilitate remote access. The activity leverages ESET brand recognition and shows tactical overlap with Sandworm-linked sub-clusters (UAC-0212, UAC-0125) and campaigns deploying BACKORDER.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]