A new wave of cyberattacks targeting Ukrainian entities has surfaced, with threat actors impersonating the well-known cybersecurity firm ESET. Discovered in May 2025, ESET is tracking this threat cluster as “InedibleOchotense,” which it assesses as being aligned with Russian interests. This campaign highlights the evolving tactics of nation-state-backed hacking groups and their sophisticated methods for gaining access to sensitive information.
The InedibleOchotense campaign employed spear-phishing emails and Signal text messages to distribute a trojanized ESET installer. These messages, written primarily in Ukrainian, included an initial phrase using a Russian word, suggesting either a translation error or a deliberate linguistic nuance. The emails falsely claimed that ESET’s monitoring team had detected suspicious activity linked to the recipient’s email address, raising concerns about potential system risks.
InedibleOchotense Impersonates ESET in New Phishing Campaign Targeting Ukraine
The observed threat activity, dubbed InedibleOchotense by ESET, has exhibited tactical overlaps with previous campaigns documented by EclecticIQ and CERT-UA. These earlier efforts involved the deployment of a backdoor known as BACKORDER and have been attributed to UAC-0212, a suspected sub-cluster operating under the broader Sandworm (also known as APT44) hacking group. This connection suggests a potential collaboration or shared operational framework among these Russia-aligned threat actors.
The attackers exploited ESET’s strong brand recognition and widespread use of its software within Ukraine. By hosting malicious installers on domains designed to mimic legitimate ESET services (such as esetsmart[.]com, esetscanner[.]com, and esetremover[.]com), they aimed to trick unsuspecting users into downloading compromised software. This social engineering tactic leverages trust in established cybersecurity brands to facilitate the initial compromise.
Upon execution, the malicious installer delivered a legitimate ESET AV Remover alongside a variant of the Kalambur C# backdoor. Kalambur utilizes the Tor anonymity network for its command-and-control (C2) communications, making it more difficult to track and disrupt. Additionally, the backdoor possessed the capability to install OpenSSH and enable remote access through the Remote Desktop Protocol (RDP) on port 3389, opening the door for deeper system penetration and control.
It is noteworthy that CERT-UA had previously attributed a very similar campaign to UAC-0125, identified as another sub-cluster within Sandworm, in a report published the previous month. ESET’s senior malware researcher, Matthieu Faou, stated that while InedibleOchotense shows weak relations to Sandworm and overlaps with its BACKORDER-related activity and UAC-0212, an independent confirmation of the link to UAC-0125 could not be independently verified.
Sandworm’s Continued Destructive Operations in Ukraine
ESET’s reporting also detailed Sandworm’s ongoing destructive operations within Ukraine. In April 2025, the group launched attacks using two wiper malware variants, ZEROLOT and Sting, targeting an unnamed university. This was followed by the deployment of additional data-wiping malware targeting critical sectors, including government, energy, logistics, and the grain industry.
During this period, ESET observed and confirmed that the UAC-0099 group conducted initial access operations and subsequently transferred validated targets to Sandworm for follow-up destructive activity. These actions underscore the persistent threat posed by wipers as a preferred tool for Russia-aligned threat actors operating in Ukraine.
RomCom Leverages WinRAR Vulnerability in New Attacks
Another significant Russia-aligned threat actor identified is RomCom (also known as Storm-0978, Tropical Scorpius, UNC2596, or Void Rabisu). In mid-July 2025, RomCom initiated spear-phishing campaigns that weaponized a WinRAR vulnerability, identified as CVE-2025-8088 with a critical CVSS score of 8.8. These attacks targeted financial, manufacturing, defense, and logistics companies across Europe and Canada.
Successful exploitation of this flaw allowed RomCom to deploy various backdoors, including variants of SnipBot (also known as SingleCamper or RomCom RAT 5.0), RustyClaw, and a Mythic agent. Security researchers characterize RomCom as a group that closely monitors geopolitical developments, particularly concerning the war in Ukraine, to conduct credential harvesting and data exfiltration activities that likely serve Russian objectives.
Originally conceived as an e-crime commodity malware designed to facilitate payload deployment and persistence, RomCom has evolved. It has transitioned from a purely profit-driven tool to a utility employed in nation-state operations, demonstrating the blurring lines between cybercrime and espionage.
The continued activity of groups like InedibleOchotense and Sandworm, coupled with the evolving tactics of actors like RomCom, indicates an ongoing and dynamic threat landscape for Ukrainian entities and their international partners. The sophisticated impersonation tactics and exploitation of software vulnerabilities suggest that such attacks will likely persist, with threat actors continually adapting their methods to circumvent defenses. Organizations must remain vigilant and ensure their cybersecurity measures are up-to-date to counter these evolving threats.