A new campaign has been uncovered that specifically targets human‑resource (HR) departments across a wide range of organizations, using a sophisticated malware bundle dubbed BlackSanta. The threat actor – identified as Russian‑speaking but otherwise anonymous – has been operating quietly for over a year, delivering the EDR killer through spear‑phishing emails that appear to be legitimate resumes.
How the attack begins
The phishing emails link recipients to cloud‑hosted ISO files masquerading as résumé PDFs. When downloaded, the ISO contains four seemingly innocuous files:
- A Windows shortcut (
.LNK) disguised as a PDF - A PowerShell script
- An image file with hidden data (steganography)
- An icon (
.ICO)
The shortcut launches PowerShell and runs the script. The script extracts steganographically encoded data from the image, then loads it into memory. It also downloads a ZIP archive containing both the legitimate SumatraPDF executable and a malicious DLL (DWrite.dll) that is sideloaded using a DLL hijacking technique.
System fingerprinting and environment checks
Once executed, the malware performs extensive system fingerprinting, sending the collected data to its command‑and‑control (C2) server. It then checks for sandboxing, virtual machines, or debugging tools; if any are detected, it aborts execution to avoid detection. The script also modifies Windows Defender settings, disables disk write tests, and pulls additional payloads from the C2.
BlackSanta – the EDR killer
The core of the attack is an executable called BlackSanta, which acts as a powerful endpoint‑detection‑removal (EDR) killer. It works by:
- Adding Microsoft Defender exclusions for
.dll and .sys files - Modifying registry values to reduce telemetry and auto‑sample submission
- Suppressing Windows notifications to keep users unaware
Internally, BlackSanta enumerates running processes, matches them against a hard‑coded list of antivirus, EDR, SIEM, and forensic tools, then uses loaded kernel drivers to terminate those processes at the kernel level. This effectively silences any active security software on the host.
Additional stealth components
The attackers also deploy driver-based components such as RogueKiller (from Adlice Software) and IObitUnlocker.sys (from IObit). These drivers allow the malware to manipulate kernel hooks, monitor memory, and bypass file/process locks—granting it elevated privileges and further stealth.
Operational security
Aryaka’s research indicates that the threat actor maintains strong operational security. The campaign uses context‑aware infection chains, keeping components like BlackSanta hidden until they reach a suitable target. Multiple IP addresses associated with the same campaign have been identified, confirming that the operation has run unnoticed for at least a year.
Takeaway
Organizations, especially those in HR departments, should:
- Scrutinize any unsolicited attachments or links claiming to be resumes
- Keep endpoint security solutions updated and not disable them inadvertently
- Monitor for unusual changes in Windows Defender settings or registry values
Stay vigilant against this evolving threat that blends social engineering with advanced evasion techniques.
