Kalambur is a Windows backdoor associated with Russia-aligned intrusion activity targeting Ukraine. It has been linked to campaigns attributed to InedibleOchotense and to broader activity connected with UAC-0145, a subcluster of Sandworm. The malware has been delivered through social-engineering operations that impersonate trusted security software, most notably trojanized ESET installers distributed via phishing emails and Signal messages. In these campaigns, victims are persuaded to install what appears to be legitimate antivirus tooling, while the installer deploys both authentic software and the Kalambur backdoor. Earlier related operations also used trojanized software installers obtained through torrent-based distribution.
Kalambur forms part of a malware ecosystem that has included other tools such as Sumbur and Tambur. Its role in operations has been to provide unauthorized remote access to compromised Windows systems and support follow-on intrusion activity. Access obtained through infections involving trojanized installers has been used for persistence and lateral movement inside victim organizations, and in at least one case enabled conditions for a subsequent destructive attack against Ukrainian government infrastructure. The campaigns have primarily targeted Ukrainian entities, including military-related and governmental environments, and relied on sustained social engineering rather than direct exploitation for initial compromise.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Як правило, реалізація зловмисного задуму здійснювалася із застосуванням вже відомих програмних засобів KALAMBUR, SUMBUR, TAMBUR
Як правило, реалізація зловмисного задуму здійснювалася із застосуванням вже відомих програмних засобів KALAMBUR, SUMBUR, TAMBUR
Як правило, реалізація зловмисного задуму здійснювалася із застосуванням вже відомих програмних засобів KALAMBUR, SUMBUR, TAMBUR
The campaign used emails and Signal messages to deliver trojanized ESET installers that installed both legitimate software and the Kalambur backdoor.
14 distinct techniques documented for this family, organized by ATT&CK tactic.
...одним з основних способів отримання первинного доступ був вектор "пасивної" компрометації, що полягав у завантаженні користувачем з торент-трекерів інсталяторів програмних продуктів ... які містили вбудований бекдор.
"host and deliver malware from trojanized code projects"; "Trojanized ESET Installers Drop Kalambur Backdoor"
...набули поширення випадки розповсюдження програмних засобів реалізації кіберзагроз у месенджері Signal під виглядом необхідності встановлення "антивірусного захисту".
Another Russia-aligned threat actor, InedibleOchotense, conducted a spearphishing campaign impersonating ESET. This campaign involved emails and Signal messages delivering a trojanized ESET installer... The Russia-aligned group sent phishing emails and Signal messages containing links to trojanized ESET installers hosted on fake domains.
Because the attack chain primarily abuses legitimate Windows tools — including scheduled tasks, SSH, PowerShell, and RDP — standard antivirus solutions often fail to raise alerts.
One of the world’s most dangerous state-backed hacking groups is actively targeting Remote Desktop Protocol (RDP) servers across critical infrastructure, defense organizations, and government agencies... these tasks run with full administrator-level privileges and use a hardcoded password (1qaz@WSX) to maintain constant, uninterrupted access to the RDP service on the infected host.
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named malware/tool used by the UAC-0145 cluster in prior intrusion activity.
A backdoor delivered via trojanized fake ESET installers in phishing attacks against Ukrainian entities.
Backdoor delivered via trojanized installer to provide unauthorized access/persistence.
Backdoor malware delivered via trojanized installers, used for persistent access and espionage.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.