A previously unknown cluster of threat activity impersonating Slovak cybersecurity company ESET was observed as part of a phishing campaign targeting Ukrainian companies.
This campaign, detected in May 2025, is tracked by security organizations under the following names: Inedible Ochotenseexplains that it is collaborating with Russia.
“InedibleOchotense sent spear-phishing emails and Signal text messages containing links to trojanized ESET installers to multiple Ukrainian organizations,” ESET said in its APT Activity Report Q2 2025 – Q3 2025, shared with The Hacker News.
InedibleOchotense is assessed to be tactically overlapping with a campaign involving the deployment of a backdoor called BACKORDER documented by EclecticIQ and logged by CERT-UA as UAC-0212, which is described as a subcluster within the Sandworm (aka APT44) hacking group.
The email message is written in Ukrainian, but the first line uses Russian, likely indicating a typo or translation error, ESET said. An email purporting to be from ESET claims that its monitoring team has detected a suspicious process associated with the email address and your computer may be at risk.
This activity attempts to leverage the popularity of ESET software in the country and its brand reputation to trick recipients into installing malicious installers hosted on domains such as esetsmart(.)com, esetscanner(.)com, and esetremover(.)com.
This installer is designed to deliver the legitimate ESET AV Remover and a C# backdoor variant called Kalambur (also known as SUMBUR) that uses the Tor anonymity network for command and control. You can also remove OpenSSH and enable remote access via Remote Desktop Protocol (RDP) on port 3389.
It’s worth noting that in a report published last month, CERT-UA attributed a nearly identical campaign to another subcluster within Sandworm, UAC-0125.
Sandworm wiper attack in Ukraine
According to ESET, Sandworm has continued its destructive campaign in Ukraine, launching two wiper malware tracked as ZEROLOT and Sting targeting anonymous universities in April 2025, followed by multiple data erasure malware variants targeting the government, energy, logistics, and grain sectors.
“During this period, we observed and confirmed that the UAC-0099 group conducted initial access operations and subsequently forwarded verified targets to Sandworm for follow-up activities,” the company said. “These devastating attacks by Sandworm are a reminder that Wiper remains a frequent tool of Russian-aligned threat actors in Ukraine.”
RomCom exploits WinRAR 0-Day in attacks
Another notable Russian threat actor active during this period was RomCom (also known as Storm-0978, Tropical Scorpius, UNC2596, or Void Rabisu). RomCom launched a spear phishing campaign in mid-July 2025 that exploited the WinRAR vulnerability (CVE-2025-8088, CVSS score: 8.8) as part of an attack targeting finance, manufacturing, defense, and organizations. Logistics company in Europe and Canada.
“Successful exploitation attempts delivered various backdoors used by the RomCom group, in particular variants of SnipBot (also known as SingleCamper or RomCom RAT 5.0), RustyClaw, and the Mythic agent,” ESET said.
In a detailed profile of RomCom in late September 2025, AttackIQ characterized the hacker group as closely monitoring geopolitical developments surrounding the Ukraine war and using them to conduct credential harvesting and data theft activities likely to support Russian objectives.
“RomCom was originally developed as an e-crime commodity malware, designed to facilitate the deployment and persistence of malicious payloads, and enabled its integration into prominent extortion-focused ransomware operations,” said security researcher Francis Gibernau. “RomCom has moved from being a purely profit-driven product to a public utility used to run a nation-state.”
