InedibleOchotense is a Russia-linked, Russia-aligned threat actor observed conducting spearphishing campaigns against Ukrainian entities in May 2025. The actor impersonated ESET in phishing emails and Signal messages, using social engineering rather than direct exploitation to compromise targets. The campaign delivered trojanized ESET installers hosted on fake domains posing as ESET infrastructure, including esetsmart[.]com, esetscanner[.]com, and esetremover[.]com. The malicious download was delivered as a ZIP file containing a legitimate ESET AV Remover together with the Kalambur backdoor, resulting in installation of both a legitimate ESET product and the backdoor. Reported lures warned recipients about suspicious activity linked to their email accounts and urged them to download purported official threat-removal software. ESET stated the campaign shared tactics with activity previously attributed to UAC-0212 and the BACKORDER downloader. Researchers also observed minor language errors in the lures, suggesting poor translation from Russian to Ukrainian. No additional aliases or sub-groups are directly supported in the provided content.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Geographies tied to known operations.
Attributed origin per open-source reporting.
7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducted a spearphishing campaign impersonating ESET to deliver trojanized installers that installed legitimate ESET software alongside the Kalambur backdoor on Ukrainian targets.
InedibleOchotense is a Russia-aligned APT group that conducted spearphishing campaigns impersonating ESET, delivering a trojanized installer and the Kalambur backdoor.
Phishing actor using brand impersonation (ESET) to deliver trojanized installers that install the Kalambur backdoor.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.