Phishing Attack Delivers Kalambur Backdoor via Trojanized ESET Installers in Ukraine
Executive Summary
In May 2025, a Russia-aligned threat group tracked as InedibleOchotense conducted a spear-phishing campaign targeting Ukrainian organizations. Attackers impersonated Slovak security company ESET, delivering phishing emails and Signal messages containing malicious links to trojanized ESET installers. When unsuspecting victims executed these files, a previously undocumented backdoor named Kalambur was installed, granting attackers covert access to compromised systems and enabling persistent network reconnaissance, command execution, and data exfiltration. The impersonation of a well-known cybersecurity firm lent the campaign added credibility, elevating its success rate and risk to targeted entities.
This incident is a stark illustration of evolving phishing TTPs that exploit software supply chain trust and employ realistic impersonation. The campaign highlights the enduring threat posed by nation-state actors employing sophisticated lures, and underscores the urgent need for vigilant software validation, phishing awareness, and robust protective controls across organizations operating in high-risk geopolitical regions.
Why This Matters Now
Supply chain trust attacks and the targeting of critical organizations through impersonated security tools are rising. This campaign demonstrates how easily trusted software brands can be weaponized to bypass defenses. Organizations must urgently strengthen both their phishing resilience and their controls for detecting trojanized legitimate tools, as threat actors increasingly exploit trust-based vectors.
Attack Path Analysis
The attacker initiated the campaign via spear-phishing and Signal messages containing links to trojanized ESET installers, leading to initial compromise of target systems. Following installation, the backdoor likely employed privilege escalation to gain persistent access. The attacker then moved laterally within internal and cloud environments, searching for additional assets. Through established command and control channels, the adversary received instructions and maintained persistence. Sensitive data was exfiltrated, potentially over encrypted or covert traffic. The final outcome could involve business disruption, further malware deployment, or data destruction.
Kill Chain Progression
Initial Compromise
Description
Victims received spear-phishing emails and Signal messages impersonating ESET, containing malicious installers which, when executed, deployed the Kalambur backdoor.
Related CVEs
CVE-2025-8088
CVSS 8.8A vulnerability in WinRAR allows remote attackers to execute arbitrary code via crafted archive files.
Affected Products:
RARLAB WinRAR – < 6.23
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Spearphishing Link
Supply Chain Compromise: Compromised Software Supply Chain
User Execution: Malicious File
Hijack Execution Flow: DLL Side-Loading
Command and Scripting Interpreter
Application Layer Protocol: Web Protocols
Ingress Tool Transfer
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Log and Monitor All Access to System Components
Control ID: 10.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Incident Handling
Control ID: Article 21(2)(d)
DORA – ICT Risk Management
Control ID: Article 8
CISA Zero Trust Maturity Model 2.0 – Identity Protection and Phishing-Resistant Mechanisms
Control ID: Identity Pillar: Phishing-Resistant Authentication
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
Direct reputational damage from ESET impersonation in backdoor phishing campaign targeting Ukrainian entities, undermining trust in cybersecurity vendors and authentication protocols.
Government Administration
High-risk target for Kalambur backdoor deployment via trojanized security software, enabling lateral movement and data exfiltration in critical government infrastructure systems.
Defense/Space
Critical vulnerability to Russia-aligned phishing attacks using legitimate security software impersonation, compromising defense communications and classified data protection capabilities.
Financial Services
Elevated threat from sophisticated social engineering campaigns exploiting trusted security vendor identity, potentially bypassing zero trust segmentation and encrypted traffic protections.
Sources
- Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukrainehttps://thehackernews.com/2025/11/trojanized-eset-installers-drop.htmlVerified
- ESET Research APT Report: Russian attacks surge in Ukraine and Europe; Chinese groups target Latin American governmentshttps://www.eset.com/us/about/newsroom/research/eset-research-apt-report-april-september-2025/Verified
- Russia-linked APT InedibleOchotense impersonates ESET to deploy backdoor on Ukrainian systemshttps://securityaffairs.com/184303/apt/russia-linked-apt-inedibleochotense-impersonates-eset-to-deploy-backdoor-on-ukrainian-systems.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust network segmentation, robust egress policy enforcement, threat detection, and lateral movement controls would have dramatically mitigated the risk associated with this campaign at every phase. Specifically, microsegmentation, encrypted communications, and inline threat detection would have prevented unauthorized access and movement, while egress controls would have contained data loss.
Control: Threat Detection & Anomaly Response
Mitigation: Early identification and alerting on anomalous or malicious installer downloads.
Control: Zero Trust Segmentation
Mitigation: Limits access to critical cloud resources even if privileges are elevated locally.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized internal movement between workloads and services.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents or detects outbound C2 connections to unapproved domains or IPs.
Control: Encrypted Traffic (HPE)
Mitigation: Inspection and control of data-in-transit, detecting or blocking unauthorized transfers.
Real-time enforcement prevents widespread impact or further compromise.
Impact at a Glance
Affected Business Functions
- IT Security
- Network Operations
- Data Management
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive governmental and organizational data due to unauthorized remote access facilitated by the Kalambur backdoor.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to isolate workloads and enforce least privilege across all cloud networks.
- • Deploy robust east-west traffic inspection to detect and prevent unauthorized lateral movement.
- • Enforce strict egress policies with application-aware controls to block malware C2 and exfiltration.
- • Utilize centralized visibility and anomaly detection tools for real-time threat identification and rapid response.
- • Continuously monitor for and respond to new phishing vectors and supply chain risks targeting cloud assets.
