BlackSanta EDR killer targets HR teams through fake resume files
5 min. read 
Published on
A newly documented malware campaign has spent more than a year targeting HR and recruitment staff with resume-themed lures and a kernel-level EDR killer called BlackSanta. Aryaka Threat Labs says the operation uses stealthy, multi-stage malware to weaken defenses, avoid sandboxes, and prepare infected systems for follow-on payloads and data theft.
The campaign appears to abuse a weak spot many companies overlook. Recruiters open CVs, portfolios, and application files all day, which makes resume-themed phishing more believable than a random invoice or password reset. Aryaka says the attackers used ISO files disguised as resumes, often hosted on cloud services, to start the infection chain.
What makes this case stand out is BlackSanta itself. Aryaka describes it as a BYOVD-based EDR killer, meaning it relies on legitimate but vulnerable signed drivers to gain low-level access and then shut down security tools from the kernel. That gives attackers a better chance of running later-stage malware without alerts, blocks, or user-facing warnings getting in the way.
What happened
| Item | Details |
|---|---|
| Main target | HR and recruitment personnel |
| Initial lure | Resume-themed ISO files |
| Delivery method | Likely spear-phishing with cloud-hosted downloads |
| Notable payload | BlackSanta EDR killer |
| Core technique | BYOVD, DLL sideloading, steganography, and process hollowing |
| Campaign length | Likely active for over a year |
Source: Aryaka Threat Labs and reporting based on Aryaka’s findings.
How the attack works
Aryaka says one analyzed ISO contained four files: a Windows shortcut disguised as a PDF, a PowerShell script, an image, and an icon file. When the victim opens the fake PDF, the shortcut launches PowerShell and runs the script from the mounted ISO. The script then extracts hidden data from the image and executes more code in memory.
From there, the malware downloads a ZIP archive that includes a legitimate SumatraPDF executable and a malicious DWrite.dll file. That combination enables DLL sideloading, a common technique where a trusted program loads an attacker-controlled library. Aryaka also says the malware fingerprints the device, checks for sandboxes and debuggers, weakens Windows Defender settings, and later runs extra payloads through process hollowing inside legitimate processes.
This chain looks carefully built for stealth. The attackers do not rely on one noisy executable. They layer social engineering, PowerShell, steganography, sideloading, in-memory execution, and kernel abuse so each stage helps the next one stay hidden. Aryaka says the actor also used encrypted HTTPS communications and additional infrastructure tied to the same campaign.
Why BlackSanta matters
BlackSanta is the most dangerous part of the operation because it tries to blind security tools before the final stage arrives. Aryaka says it adds Microsoft Defender exclusions for .dls and .sys files, changes Registry values tied to telemetry and sample submission, suppresses notifications, and kills security products by matching running processes against a hardcoded list of AV, EDR, SIEM, and forensic tools.
Aryaka also linked the campaign to the use of RogueKiller Antirootkit and IObitUnlocker drivers, which have appeared in earlier malware operations. In this case, the drivers help unlock protected processes and bypass normal restrictions, giving the malware the kernel-level leverage it needs to terminate defenses.
Microsoft’s own documentation helps explain why that is serious. The company says tamper protection exists specifically to stop security settings from being disabled or changed during attacks, and it warns that changing exclusions can affect real-time protection and monitoring. In other words, the BlackSanta playbook goes after the exact controls defenders depend on to keep malware visible.
Signs defenders should watch for
- Resume-themed ISO downloads from email or cloud storage links.
- LNK files masquerading as PDFs inside mounted ISO images.
- PowerShell launching from a mounted image immediately after a user opens a supposed resume.
- Suspicious loading of
DWrite.dllalongside a legitimate SumatraPDF executable. - Unexpected Defender exclusions or reduced telemetry settings.
- Loading of known vulnerable signed drivers tied to process termination or unlocking.
What companies should do now
| Priority | Action |
|---|---|
| High | Treat HR and recruiting workflows as a high-risk phishing surface |
| High | Block or tightly control ISO, LNK, and script-based content from external applicants |
| High | Monitor for suspicious driver loads and Defender exclusion changes |
| Medium | Restrict PowerShell abuse and review process hollowing detections |
| Medium | Train recruiting staff to verify cloud-hosted resume downloads before opening them |
This guidance follows directly from Aryaka’s infection chain and Microsoft’s documentation on tamper protection, exclusions, and sample submission controls.
FAQ
BlackSanta is a malware component Aryaka describes as an EDR killer that uses a Bring Your Own Vulnerable Driver approach to disable or weaken endpoint protections at the kernel level.
Aryaka says the campaign focused on HR departments and recruitment teams, using fake resume files as bait.
Researchers suspect spear-phishing emails lead victims to cloud-hosted ISO files disguised as resumes. The ISO then launches a staged infection chain using a fake PDF shortcut, PowerShell, and hidden payloads.
This campaign combines social engineering with steganography, DLL sideloading, anti-analysis checks, process hollowing, and a kernel-level EDR killer. That makes it harder to spot and harder to stop once it lands.
No. Aryaka said it could not retrieve the final payload in the observed case because the command-and-control server was unavailable during the investigation.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages