Researchers at Aryaka have identified a year-long cyber campaign with attackers sending messages containing links to files disguised as job applications or resumes to corporate HR departments that injects malware, dubbed BlackSanta, designed to disable security tools before stealing data.
The attack typically starts with victims downloading an ISO file hosted on cloud storage services, which contains seemingly legitimate documents and scripts. When opened, the file executes commands that download additional payloads and deploy the BlackSanta malware. The module functions as an “EDR killer,” disabling antivirus and endpoint detection and response tools at the kernel level, allowing attackers to operate on compromised systems with minimal resistance.
Once security controls are disabled, the malware can perform system reconnaissance, harvest credentials, and exfiltrate sensitive data from the compromised network. Researchers say the campaign specifically targets HR workflows because recruitment staff routinely open files from external applicants and may not scrutinize attachments as closely as security or IT teams, making them a practical entry point into enterprise environments.
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:
“HR is a very practical point of entry. This has been a common attack path for a long time, so much so that fake resumes and job applications are taught as phishing lures because they work. HR staff are constantly interacting with unknown external people, opening files, and following up on inbound submissions as part of normal business, which makes them much easier to target than users in IT or finance, who are usually more security conscious and more conditioned to be suspicious.
“A foothold is a foothold. Attackers do not need to land on the most privileged user first if they can compromise a softer target, establish access, and move laterally from there. HR is attractive because it combines lower resistance with real value. Even if it does not always have the same technical access as IT or the same direct financial access as finance, it often holds a broad set of personal information on both employees and applicants. That data can be stolen, resold, reused in future phishing and social engineering, or leveraged for broader fraud and identity theft.
“This is not some new or surprising attack path. Most of the tradecraft involved is well known and has become fairly standard across the criminal ecosystem. Using an ISO to get past boundary level detections is a common technique, and the layered execution and EDR tampering here are a good example of how capabilities that once felt more specialized have become easier to obtain and reuse.
“That broader commercialization matters. Advanced tooling, stolen information, and even direct access are now routinely bought, sold, shared, and reused, which keeps lowering the barrier to entry.”
Rajeev Raghunarayan, Head of GTM, Averlon:
“The bigger risk isn’t the initial HR compromise. It’s what those compromised credentials or systems can reach. In many environments, HR processes intersect with identity and access workflows, which means an initial foothold can potentially lead to broader access across the organization if permissions and controls are not tightly managed.
“Many environments still have overly broad permissions that allow attackers to move laterally once they gain a foothold. Organizations need to understand how identities and privileges become part of attack chains, not just focus on the endpoint where the malware first lands.”
Noelle Murata, Sr. Security Engineer, Xcape, Inc.:
“The BlackSanta campaign utilizes malicious ISO files disguised as job applications to deliver a specialized “EDR killer” payload to corporate targets. This malware operates at the kernel level to systematically disable antivirus and endpoint detection tools, effectively blinding security operations centers before data exfiltration begins.
“For security professionals, this represents a critical escalation in the arms race between attackers and defensive telemetry. When an adversary can reliably neuter the primary visibility tool of the modern enterprise, the entire incident response playbook is rendered obsolete. While HR departments remain a vulnerable entry point due to their operational need to open external files, the true threat lies in the sophisticated ability of this malware to achieve total silence on the host.
“Defenders must pivot toward a defense-in-depth strategy that includes robust application control and the enforcement of “least privilege” for kernel-level drivers. Implementing hardware-backed security features and isolated environments for processing untrusted external documents can help mitigate the risk when endpoint agents are compromised.
“If the EDR can’t see the fire, the whole building burns down before the first alarm sounds.”
This is a scary one as this attack kills the canary in the coal mine so there are no warnings. Thus it’s a good time to look at what you can do to make this less of a threat.
Like this:
Like Loading...
Related
This entry was posted on March 12, 2026 at 2:31 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
BlackSanta malware campaign targets HR departments with EDR-killing payload
Researchers at Aryaka have identified a year-long cyber campaign with attackers sending messages containing links to files disguised as job applications or resumes to corporate HR departments that injects malware, dubbed BlackSanta, designed to disable security tools before stealing data.
The attack typically starts with victims downloading an ISO file hosted on cloud storage services, which contains seemingly legitimate documents and scripts. When opened, the file executes commands that download additional payloads and deploy the BlackSanta malware. The module functions as an “EDR killer,” disabling antivirus and endpoint detection and response tools at the kernel level, allowing attackers to operate on compromised systems with minimal resistance.
Once security controls are disabled, the malware can perform system reconnaissance, harvest credentials, and exfiltrate sensitive data from the compromised network. Researchers say the campaign specifically targets HR workflows because recruitment staff routinely open files from external applicants and may not scrutinize attachments as closely as security or IT teams, making them a practical entry point into enterprise environments.
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:
“HR is a very practical point of entry. This has been a common attack path for a long time, so much so that fake resumes and job applications are taught as phishing lures because they work. HR staff are constantly interacting with unknown external people, opening files, and following up on inbound submissions as part of normal business, which makes them much easier to target than users in IT or finance, who are usually more security conscious and more conditioned to be suspicious.
“A foothold is a foothold. Attackers do not need to land on the most privileged user first if they can compromise a softer target, establish access, and move laterally from there. HR is attractive because it combines lower resistance with real value. Even if it does not always have the same technical access as IT or the same direct financial access as finance, it often holds a broad set of personal information on both employees and applicants. That data can be stolen, resold, reused in future phishing and social engineering, or leveraged for broader fraud and identity theft.
“This is not some new or surprising attack path. Most of the tradecraft involved is well known and has become fairly standard across the criminal ecosystem. Using an ISO to get past boundary level detections is a common technique, and the layered execution and EDR tampering here are a good example of how capabilities that once felt more specialized have become easier to obtain and reuse.
“That broader commercialization matters. Advanced tooling, stolen information, and even direct access are now routinely bought, sold, shared, and reused, which keeps lowering the barrier to entry.”
Rajeev Raghunarayan, Head of GTM, Averlon:
“The bigger risk isn’t the initial HR compromise. It’s what those compromised credentials or systems can reach. In many environments, HR processes intersect with identity and access workflows, which means an initial foothold can potentially lead to broader access across the organization if permissions and controls are not tightly managed.
“Many environments still have overly broad permissions that allow attackers to move laterally once they gain a foothold. Organizations need to understand how identities and privileges become part of attack chains, not just focus on the endpoint where the malware first lands.”
Noelle Murata, Sr. Security Engineer, Xcape, Inc.:
“The BlackSanta campaign utilizes malicious ISO files disguised as job applications to deliver a specialized “EDR killer” payload to corporate targets. This malware operates at the kernel level to systematically disable antivirus and endpoint detection tools, effectively blinding security operations centers before data exfiltration begins.
“For security professionals, this represents a critical escalation in the arms race between attackers and defensive telemetry. When an adversary can reliably neuter the primary visibility tool of the modern enterprise, the entire incident response playbook is rendered obsolete. While HR departments remain a vulnerable entry point due to their operational need to open external files, the true threat lies in the sophisticated ability of this malware to achieve total silence on the host.
“Defenders must pivot toward a defense-in-depth strategy that includes robust application control and the enforcement of “least privilege” for kernel-level drivers. Implementing hardware-backed security features and isolated environments for processing untrusted external documents can help mitigate the risk when endpoint agents are compromised.
“If the EDR can’t see the fire, the whole building burns down before the first alarm sounds.”
This is a scary one as this attack kills the canary in the coal mine so there are no warnings. Thus it’s a good time to look at what you can do to make this less of a threat.
Share this:
Like this:
Related
This entry was posted on March 12, 2026 at 2:31 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.