THE CORTEX PROTOCOL
🏠Home🚨Threats🧠Insights📚Books
🚨 CRITICALapt

Trojanized ESET Installers - Kalambur Backdoor Targets Ukraine

Category:Threat Alerts / Threat Intelligence
Trojanized ESET installers are being used to deliver the Kalambur backdoor in a Russia-aligned phishing campaign targeting Ukrainian organizations. Trojanized ESET installers are distributed via spear-phishing emails and Signal messages that impersonate the Slovak security vendor and claim to provide urgent remediation tools. When victims download from domains such as esetsmart[.]com or esetscanner[.]com, they receive a bundle that combines legitimate ESET AV components with a C# backdoor known as Kalambur, also tracked as SUMBUR. Trojanized ESET installers allow the InedibleOchotense threat cluster, linked to Sandworm sub-groups UAC-0212 and UAC-0125, to establish persistent access to Ukrainian government, energy, logistics, and education networks. Kalambur uses the Tor anonymity network for command-and-control, can deploy OpenSSH, and enables remote desktop access on port 3389, giving operators broad control over compromised systems. The same reporting period also saw Sandworm deploy multiple wiper families, including ZEROLOT and Sting, against Ukrainian targets, underscoring the destructive intent behind this access. For defenders in Ukraine and allied countries, Trojanized ESET installers highlight a recurring pattern: adversaries abuse trust in widely deployed security software to gain initial access and prepare follow-on destructive operations. Security teams must combine rigorous verification of installer provenance with monitoring for Tor-based C2, unexpected RDP enablement, and secondary payloads associated with Sandworm-linked campaigns.

🎯CORTEX Protocol Intelligence Assessment

Business Impact: Trojanized ESET installers used against Ukrainian entities demonstrate how Russia-aligned operators weaponize trusted security brands to penetrate highly targeted networks. Government, critical infrastructure, and logistics organizations face not only espionage risk but also the prospect of disruptive or destructive wiper attacks once access is established, threatening continuity of essential public services and commercial operations. Technical Context: Trojanized ESET installers in this campaign bundle legitimate ESET AV Remover with the Kalambur backdoor, which communicates over Tor and can drop OpenSSH and enable RDP-based remote control. The activity overlaps with Sandworm sub-clusters UAC-0212 and UAC-0125, which have a long history of destructive operations in Ukraine. Defenders should treat any unexpected ESET-related installer from non-official domains as suspect and hunt for Tor client artifacts, RDP configuration changes, and Kalambur-specific indicators.

Strategic Intelligence Guidance

  • Restrict software installation sources by enforcing allowlists for vendor domains and package repositories, blocking access to lookalike domains hosting Trojanized ESET installers.
  • Deploy endpoint controls to monitor for new Tor binaries, unauthorized OpenSSH deployments, and sudden enablement of Remote Desktop Protocol on servers and workstations.
  • Integrate Sandworm and Kalambur indicators of compromise into SIEM and threat-hunting workflows, focusing on Ukrainian-facing infrastructure and high-value segments.
  • Coordinate with national CERTs and trusted security vendors to validate installer hashes before deployment and to share telemetry on suspicious ESET-branded campaigns.

CVEs

CVE-2025-8088

Vendors

ESET

Threats

Kalambur backdoorSandwormInedibleOchotenseRomCom

Targets

Ukrainian governmentEnergy sectorLogistics organizations

Tags

#trojanized-eset-installers#kalambur-backdoor#sandworm-apt#uac-0212#uac-0125#ukraine-targeting
Intelligence Source: Trojanized ESET Installers - Kalambur Backdoor Targets Ukraine | Nov 7, 2025
More stories in Threat Intelligence