Russia-Linked APT InedibleOchotense Deploys Backdoor via Fake ESET Installers in Ukrainian Cyber Attacks

In May 2025, the Russia-linked Advanced Persistent Threat (APT) group InedibleOchotense conducted a sophisticated phishing campaign targeting Ukrainian entities. The attackers impersonated ESET, a reputable cybersecurity firm, by distributing trojanized installers through phishing emails and Signal messages. These malicious installers not only deployed legitimate ESET software but also installed the Kalambur backdoor, granting the attackers persistent access to compromised systems.

Technically, this attack leverages social engineering to exploit user trust in well-known security software. The use of Signal, a platform known for its strong encryption and privacy features, demonstrates the attackers' adaptability in exploiting trusted communication channels. The Kalambur backdoor likely facilitates data exfiltration, lateral movement, and further malicious activities within the targeted networks.

The implications of this attack are significant, particularly in the context of ongoing cyber warfare between Russia and Ukraine. This incident underscores the evolving tactics of state-sponsored APT groups, who increasingly employ sophisticated methods to bypass traditional security measures. For cybersecurity professionals, this serves as a critical reminder of the importance of verifying software authenticity and implementing robust endpoint detection and response (EDR) solutions.

Expert insights suggest that organizations should adopt a multi-layered security approach, including comprehensive user training to recognize phishing attempts, advanced email filtering to detect malicious attachments, and continuous monitoring for unusual system behaviors. Additionally, the use of application whitelisting and strict software installation policies can mitigate the risk of trojanized installers.

This attack also highlights the need for heightened vigilance when dealing with software downloads, even from seemingly trusted sources. Cybersecurity teams should prioritize threat intelligence sharing and collaborative defense strategies to stay ahead of such advanced threats.