InedibleOchotense ESET-impersonation phishing campaign with trojanized installers
Campaign
Summary
Hide ▲
Show ▼
A Russia-aligned campaign by InedibleOchotense sent ESET-branded spear-phishing lures to multiple Ukrainian entities, creating a malware-delivery risk. The operation used email and Signal messages to push links to a trojanized ESET installer. It exploited ESET's brand reputation and the company's widespread use in Ukraine to increase the chance of successful installs.
Related Happenings
ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance
Technical Analysis
H score34
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
About this happening:
**ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...
ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance
Technical AnalysisAbout this happening: **ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
H score49
First: 02.06.2026 21:21
Last: 02.06.2026 21:21
Sources 1
About this happening:
**Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware ActivityAbout this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Latest development: 09.06.2026 15:26
Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
Webworm expanded European government and South Africa university espionage campaign
Campaign
H score24
First: 20.05.2026 14:30
Last: 20.05.2026 14:30
Sources 1
About this happening:
Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Webworm expanded European government and South Africa university espionage campaign
CampaignAbout this happening: Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Dragon Boss Solutions LLC adware malicious update
Malware Activity
H score26
First: 16.04.2026 22:07
Last: 16.04.2026 22:07
Sources 1
About this happening:
A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
Dragon Boss Solutions LLC adware malicious update
Malware ActivityAbout this happening: A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
RomCom SocGholish delivery chain for Mythic Agent
Malware Activity
H score24
First: 26.11.2025 10:28
Last: 26.11.2025 10:28
Sources 1
About this happening:
The **RomCom** malware family was newly observed being delivered through **SocGholish/FakeUpdates**, adding a fresh infection path that can push multiple payloads and increase pos...
RomCom SocGholish delivery chain for Mythic Agent
Malware ActivityAbout this happening: The **RomCom** malware family was newly observed being delivered through **SocGholish/FakeUpdates**, adding a fresh infection path that can push multiple payloads and increase pos...
Timeline
-
06.11.2025 17:31 2 articles · 8mo ago
InedibleOchotense ESET-impersonation phishing campaign with trojanized installers
Initial DisclosureIn **May 2025**, InedibleOchotense began sending **ESET impersonation** lures by **email** and **Signal** to Ukrainian entities. The initial lure pointed to a **trojanized installer** intended to trigger malware execution and follow-on access.
Show sources
- Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine — thehackernews.com — 06.11.2025 17:31
- Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine — thehackernews.com — 06.11.2025 17:31