A sophisticated cyber-espionage campaign has been targeting human resources (HR) departments for more than a year using malware designed to disable endpoint security tools. The operation delivers a previously undocumented endpoint detection and response (EDR) killer known as BlackSanta.
According to a report by network and security provider Aryaka, the attackers believed to be Russian-speaking combined social engineering with advanced evasion techniques to infiltrate corporate systems and steal sensitive data.
The campaign appears to begin with spear-phishing emails sent to HR personnel. Victims are allegedly prompted to download ISO image files disguised as job applicant resumes, often hosted on cloud storage platforms such as Dropbox. Once downloaded, the ISO file contains several malicious components, including a Windows shortcut file disguised as a PDF document.
When opened, the shortcut launches a PowerShell script that extracts hidden code from an image file using steganography and executes it directly in system memory. The malware then downloads additional files, including a legitimate SumatraPDF executable and a malicious dynamic link library (DLL) named DWrite.dll, which is loaded through a DLL sideloading technique.
The malware performs extensive system checks to detect sandboxes, virtual machines, or debugging tools, halting execution if such environments are detected. It also weakens local defenses by modifying Microsoft Defender settings and conducts disk-write tests before retrieving additional payloads from its command-and-control (C2) server.
One of the main payloads is the BlackSanta EDR killer, a module designed to disable endpoint security solutions. It adds Microsoft Defender exclusions for certain file types and alters Windows registry settings to reduce telemetry and automatic sample submissions to Microsoft’s security cloud. BlackSanta can also suppress Windows notifications, minimizing alerts that might otherwise warn users of suspicious activity. The malware also can terminate active security processes.
Aryaka researchers also found that the campaign used “bring your own driver” (BYOD) techniques to gain elevated privileges on infected machines. The malware downloaded legitimate drivers, including RogueKiller Antirootkit and IObitUnlocker, that have previously been abused in other malware operations to manipulate kernel memory and bypass file or process locks.
Although researchers identified multiple IP addresses linked to the campaign’s infrastructure, they were unable to retrieve the final payload because the command and control server was offline during analysis. Aryaka also did not disclose which organizations were targeted.