Listen to this Post
Introduction: A Silent Campaign Hiding in Everyday Hiring Processes
Cybercriminals are constantly searching for new ways to infiltrate corporate networks, and one of the most effective entry points continues to be human trust. In a recently uncovered campaign, threat actors believed to be Russian-speaking have spent more than a year targeting human resources departments with carefully crafted malware attacks. By disguising malicious files as job applications and resumes, the attackers managed to exploit the everyday workflows of HR teams.
What makes this campaign particularly dangerous is not only the social engineering involved but also the sophisticated technical infrastructure behind it. The attackers deploy a powerful tool called BlackSanta, an Endpoint Detection and Response (EDR) killer designed to disable security software before additional malware payloads are deployed.
Researchers from the security firm Aryaka analyzed the operation and discovered a complex infection chain that combines spear-phishing, stealth techniques, driver abuse, and advanced evasion strategies. The campaign highlights how modern cyber threats are evolving to bypass traditional security defenses while quietly harvesting sensitive corporate information.
The Campaign’s Entry Point: Spear-Phishing Targeting HR Teams
The attack appears to begin with highly targeted spear-phishing emails sent to HR departments. These messages likely mimic job applications, encouraging recipients to download files that appear to be legitimate resumes.
According to researchers, victims are directed to download ISO image files hosted on cloud storage platforms like Dropbox. Because ISO files often contain multiple embedded files, they can bypass some traditional email filters and security scanning mechanisms.
Once downloaded and opened, the ISO file reveals several components designed to launch the malware without raising suspicion.
Inside the Malicious ISO File
One analyzed ISO archive contained four main files:
• A Windows shortcut (.LNK) disguised as a PDF resume
• A PowerShell script
• An image file containing hidden data
• An ICO icon file
The attack begins when the user clicks the disguised shortcut file. Instead of opening a document, the shortcut launches PowerShell and executes the embedded script.
This script performs a particularly stealthy technique known as steganography.
Steganography Used to Hide Malware Payloads
Steganography allows attackers to conceal malicious code inside seemingly harmless files. In this campaign, hidden data was embedded inside an image file.
The PowerShell script extracts the concealed data from the image and executes it directly in system memory. By running the payload in memory instead of writing it to disk, the attackers significantly reduce the chance of detection by traditional antivirus software.
This technique allows the malware to remain invisible while initiating the next stage of the infection process.
DLL Sideloading With Legitimate Software
After extracting the hidden payload, the malware downloads a ZIP archive containing two components:
• A legitimate SumatraPDF executable
• A malicious dynamic library file named DWrite.dll
Because the legitimate application expects certain DLL files to exist, attackers exploit this by placing their malicious DLL in the same directory. When the program runs, it unknowingly loads the malicious library.
This technique is known as DLL sideloading, and it allows malware to execute while appearing to be part of a trusted application.
System Fingerprinting and Environment Checks
Before proceeding further, the malware conducts detailed reconnaissance of the compromised system.
It gathers fingerprinting information such as:
• Operating system details
• Hardware characteristics
• Running processes
• Security software
This data is then transmitted to the attacker’s command-and-control server.
The malware also performs extensive environment checks to determine whether it is running inside:
• Virtual machines
• Sandboxes
• Debugging environments
If any analysis tools are detected, the malware stops executing to avoid exposure.
Weakening Windows Defender Protections
Once the environment appears safe, the malware begins weakening the system’s defenses.
It modifies Microsoft Defender settings to reduce protection levels and performs disk write tests to confirm it has sufficient privileges to continue.
After these steps, the attackers download additional payloads from the command server. These payloads are executed using process hollowing, a technique that injects malicious code into legitimate processes to hide its activity.
BlackSanta: The EDR Killer at the Center of the Campaign
One of the most critical components delivered in this campaign is the BlackSanta EDR killer.
This tool is specifically designed to disable endpoint security solutions before the main malware payload is executed.
BlackSanta works by adding exclusions within Microsoft Defender for certain file types such as .dls and .sys, ensuring that malicious components are ignored by security scans.
It also modifies registry settings to reduce telemetry reporting and disable automatic malware sample submission to Microsoft’s security cloud infrastructure.
Silencing Alerts and Terminating Security Tools
Another key capability of BlackSanta is its ability to suppress system notifications. By disabling alert pop-ups, the malware prevents users from noticing suspicious behavior on their systems.
Its primary function, however, is terminating security processes.
BlackSanta achieves this by:
• Enumerating all running processes
• Comparing them against a hardcoded list of antivirus, EDR, SIEM, and forensic tools
• Identifying matching process IDs
• Using kernel-level drivers to unlock and terminate those processes
By attacking security software at the kernel level, the malware can bypass protections that normally prevent applications from killing protected processes.
Abuse of Legitimate Drivers to Gain Privileges
Researchers also discovered that the attackers leveraged Bring Your Own Vulnerable Driver (BYOVD) techniques.
The malware downloaded legitimate drivers such as:
• RogueKiller Antirootkit driver (truesight.sys) from Adlice Software
• IObit Unlocker driver (IObitUnlocker.sys) from IObit
Although these drivers are legitimate, attackers exploit them to gain elevated privileges on infected systems.
The RogueKiller driver allows manipulation of kernel hooks and system memory monitoring, while the IObitUnlocker driver enables the malware to bypass file and process locks.
Together, these components provide attackers with deep access to system memory and process management.
A Long-Running Operation Hidden for Over a Year
Despite the complexity of the campaign, researchers were unable to determine the final malware payload because the command-and-control server was offline during analysis.
However, by tracking related infrastructure and IP addresses, analysts discovered that the campaign had been operating quietly for more than a year.
The threat actor appears to maintain strong operational security and uses carefully crafted infection chains designed to evade detection for long periods.
What Undercode Say:
A Perfect Example of Social Engineering Meeting Advanced Malware
This campaign demonstrates how modern cyberattacks combine psychological manipulation with sophisticated technical execution. Human resources teams are ideal targets because they regularly open documents from unknown senders. Attackers understand that resumes and job applications rarely trigger suspicion.
The use of ISO files is another strategic choice. ISO images are often trusted because they are commonly used for legitimate software distribution. Many security systems treat them as archives rather than executable threats.
Steganography Is Becoming a Preferred Malware Delivery Method
The use of steganography to hide malicious payloads inside image files reflects a growing trend in advanced malware operations.
Traditional antivirus solutions typically scan executable files and scripts. Image files are rarely treated as suspicious, allowing attackers to hide code in plain sight.
This technique dramatically reduces detection rates and gives attackers a stealth advantage during the early stages of infection.
The Rise of EDR Killers
Tools like BlackSanta represent an alarming shift in malware strategy.
Instead of simply avoiding detection, modern malware increasingly focuses on actively disabling security tools. By terminating EDR and antivirus processes, attackers create a security vacuum inside compromised systems.
Once defenses are neutralized, attackers can deploy ransomware, data-stealing malware, or persistent backdoors with minimal resistance.
BYOVD Attacks Are Rapidly Increasing
The campaign’s use of legitimate drivers to gain kernel-level access is another example of the rising Bring Your Own Vulnerable Driver technique.
Because the drivers are digitally signed and legitimate, many security solutions allow them to load without scrutiny.
Attackers exploit this trust to gain powerful system privileges and disable protective mechanisms.
HR Departments Remain One of the Weakest Entry Points
This incident also reinforces a long-standing cybersecurity reality: employees remain one of the most vulnerable components of any organization’s security posture.
Departments that frequently interact with external contacts, such as HR, finance, and procurement, are particularly susceptible to spear-phishing campaigns.
Organizations must implement strict policies for handling external files and ensure that suspicious attachments are scanned in isolated environments.
Security Infrastructure Must Adapt to These Evolving Threats
Defending against campaigns like this requires more than traditional antivirus tools.
Organizations must implement advanced threat detection technologies, behavioral monitoring, and strict driver loading policies.
Endpoint protection systems should also monitor for suspicious actions such as process hollowing, kernel driver loading, and unexpected PowerShell execution.
Without these protections, sophisticated malware like BlackSanta can easily bypass traditional defenses.
Fact Checker Results
✅ Security researchers confirmed the malware campaign and its components, including the BlackSanta EDR killer.
✅ The attack chain involving ISO files, steganography, DLL sideloading, and BYOVD drivers is technically consistent with known advanced malware tactics.
❌ The final payload delivered by the attackers could not be identified because the command-and-control server was offline during investigation.
Prediction
🔮 EDR-killing malware will likely become a standard feature in advanced cyberattack toolkits over the next few years.
🔮 Attackers will increasingly abuse legitimate drivers and signed software components to bypass operating system protections.
🔮 HR departments and other externally facing business units will remain prime targets for spear-phishing malware campaigns unless stronger isolation and verification mechanisms are implemented.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
