BlackSanta EDR-Killer Campaign Targets HR Teams with CV-Themed Phishing
Aryaka Threat Research Lab has uncovered a persistent malware campaign targeting HR and recruiting staff with phishing emails disguised as job applications, deploying the BlackSanta EDR-killer module to disable endpoint defenses.
A new malware campaign uncovered by Aryaka Threat Research Lab is targeting human resources and recruiting staff with phishing emails containing malicious files disguised as job applications. The operation uses a specialized tool called BlackSanta to disable endpoint detection and response (EDR) systems after a device has been compromised, allowing attackers to maintain persistent access while evading security monitoring.
The campaign spreads primarily through phishing emails containing links to files presented as resumes. When opened, the files trigger a multi-stage infection process that quietly deploys malware on the victim's system. Aryaka's analysis indicates that the group behind the operation is likely Russian-speaking and has operated largely undetected for over a year.
The malicious files used in the campaign typically imitate legitimate documents such as resumes. Once downloaded and executed, the malware begins a sequence of actions designed to profile the system and evade security monitoring. Key behaviors include system reconnaissance to collect operating system and user data, checks for virtual machines, sandboxes and debugging tools, geographic filtering to avoid running in restricted regions, attempts to disable antivirus and EDR security controls, and downloading additional malicious payloads after initial compromise.
A central element of the campaign is the BlackSanta module itself, which functions as an EDR-killer, attempting to neutralize security software that might otherwise block malicious activity. According to the Aryaka Threat Research Lab's report, the malware also performs checks on system language, hostnames and running processes before carrying out further actions. These steps allow the attackers to maintain access while reducing the chance of detection.
Aryaka warned that recruitment teams may be particularly vulnerable because their daily tasks involve opening attachments and downloading candidate documents. Attackers exploit this routine behavior to disguise malicious payloads as legitimate applications. "The campaign's ability to exfiltrate sensitive information while maintaining encrypted communications underscores both its persistence and the risk posed to targeted organizations," the researchers wrote.
The campaign's multi-stage infection chain demonstrates a high level of sophistication, with built-in sandbox evasion and geographic filtering to avoid analysis and detection. The attackers have maintained operational security by operating largely under the radar for over a year, showcasing the level of planning, precision, and technical capability employed by the threat actor.
Improved monitoring of suspicious downloads and stronger endpoint protection could help organizations detect similar attacks earlier in the intrusion process. Organizations with large HR departments should consider implementing additional security controls around recruitment workflows, including sandboxing of incoming attachments and restricting execution of downloaded files from untrusted sources.