BlackSanta EDR Killer Targets HR Departments in Stealthy Malware Campaign
A sophisticated cyber campaign is using resume-themed lures and stealth techniques to deploy the BlackSanta EDR killer and silently disable endpoint security tools.
Cybersecurity researchers have uncovered a sophisticated malware campaign targeting human resource (HR) departments, deploying a new endpoint detection and response (EDR) killer known as BlackSanta. The campaign has reportedly operated quietly for more than a year, combining social engineering, stealthy delivery mechanisms, and advanced evasion techniques to compromise systems and extract sensitive data.
HR Departments Become a Strategic Target
Attackers increasingly target HR teams because they regularly receive external files such as resumes, portfolios, and job applications. This trust creates an ideal opportunity for threat actors to deliver malicious attachments disguised as legitimate documents.
In this campaign, victims likely receive spear-phishing emails that encourage them to download ISO image files hosted on cloud storage platforms such as Dropbox. These files appear to contain resumes or job-related documents, making them less suspicious to HR professionals who frequently review candidate submissions.
Once downloaded, the ISO file contains multiple components designed to initiate the infection chain.
Multi-Stage Infection Chain
Researchers discovered that the malicious ISO archive typically includes four files:
- A Windows shortcut (.LNK) disguised as a PDF resume
- A PowerShell script
- An image file
- An icon file (.ICO)
When the victim opens the disguised shortcut, it triggers PowerShell execution. The script then extracts hidden data embedded inside the image file using steganography, allowing malicious code to run directly in system memory.
This approach helps attackers evade traditional detection mechanisms because the payload never appears as a visible executable file.
DLL Sideloading and System Reconnaissance
After initial execution, the malware downloads a ZIP archive containing:
- A legitimate SumatraPDF executable
- A malicious DWrite.dll
The attackers exploit a technique known as DLL sideloading, allowing the legitimate application to load the malicious DLL automatically.
Meanwhile, the malware performs extensive system fingerprinting, collecting details about the compromised environment and sending them to a command-and-control (C2) server.
Before proceeding further, the malware checks whether it is running inside:
- Sandboxes
- Virtual machines
- Debugging environments
If it detects a security analysis environment, the malware halts execution to avoid detection.
BlackSanta EDR Killer Silences Security Tools
One of the most critical components delivered in this campaign is BlackSanta, a specialized tool designed to disable endpoint protection systems.
BlackSanta weakens system defenses by modifying Microsoft Defender settings and adding exclusions for file types such as .dls and .sys. Additionally, it reduces telemetry reporting and automatic malware sample submission to Microsoft security services.
The tool also suppresses Windows security notifications, reducing the chance that users will notice suspicious activity.
However, its most powerful capability lies in its ability to terminate security software processes. BlackSanta performs this by:
- Enumerating running processes
- Comparing process names against a large internal list of antivirus and EDR tools
- Identifying matching process IDs
- Using kernel-level drivers to terminate those processes
By disabling security solutions at the kernel level, attackers gain a much higher chance of maintaining persistence within the system.
Abuse of Legitimate Drivers for Privilege Escalation
The malware also deploys Bring Your Own Driver (BYOD) techniques to gain deeper system access.
Researchers observed the use of drivers associated with legitimate security tools, including components related to RogueKiller Antirootkit and IObitUnlocker.
These drivers allow the malware to:
- Manipulate kernel hooks
- Access system memory
- Bypass file and process locks
- Disable defensive mechanisms
This low-level access significantly increases the attacker's ability to remain undetected while deploying additional payloads.
A Long-Running and Carefully Operated Campaign
Investigators identified several IP addresses connected to the campaign infrastructure, suggesting that the operation has been active for more than a year.
Despite extensive analysis, researchers were unable to retrieve the final payload because the command-and-control server was unavailable at the time of investigation. However, the infection chain indicates that attackers likely use the compromised systems for data theft or long-term espionage.
The threat actor behind the campaign demonstrates strong operational security, using layered techniques that combine social engineering, stealth delivery methods, and kernel-level process manipulation.
What Organizations Should Watch For
This campaign highlights how attackers increasingly target business functions outside traditional IT roles, especially departments that regularly receive external documents.
Organizations should therefore strengthen defenses by:
- Implementing strict email attachment scanning
- Monitoring suspicious PowerShell activity
- Restricting execution from ISO and archive files
- Deploying behavioral endpoint detection capabilities
- Monitoring driver loading and kernel-level operations
Additionally, employee awareness training can help HR teams recognize suspicious job application files and phishing attempts.
As threat actors continue refining EDR-bypass techniques, organizations must adopt a defense-in-depth strategy that combines security technology, monitoring, and user awareness.