BlackSanta EDR Killer Malware Targets HR Workflows In Multi-Layered Attack

In an alarming new campaign, threat actors are targeting human resources (HR) departments with a sophisticated malware attack. The malware, named BlackSanta, exploits predictable human behavior in recruitment workflows to infiltrate organizations.

It uses social engineering, beginning with a seemingly harmless resume. It ultimately leads to an infection that bypasses standard security measures and targets valuable corporate data.

Sponsored

class="wp-block-heading" id="h-dissecting-the-threat-campaign">Dissecting The Threat Campaign

BlackSanta is a multi-layered attack that exploits the trust HR teams place in external attachments and the urgency with which they process large volumes of applicants. The malware’s attack chain is highly precise, combining social engineering with advanced evasion techniques.

Stage 1 – Initial Access: The attack begins when an HR professional downloads a resume hosted on a familiar cloud platform.

The file appears to be a legitimate ISO file, but once mounted and opened, it triggers a malicious shortcut (LNK). This seemingly harmless file begins executing the attacker’s code without raising suspicion.

Stage 2 – Payload Staging and Execution: The shortcut launches obfuscated PowerShell commands that extract hidden payloads embedded within a steganographic image.

The attacker’s malicious DLL is then sideloaded using a legitimate signed application, enabling the malware to execute under the guise of trusted software.

Stage 3 – Evasion and Environment Validation: The malware performs rigorous checks to ensure it’s not running in a virtualized or sandboxed environment. It looks for specific hostnames, usernames, and debugging tools.

If these analysis signs are detected, the malware aborts its execution. Once validated, it begins its main attack cycle, injecting additional payloads and clearing security defenses.

BlackSanta – The EDR Killer: The key feature of this campaign is BlackSanta, an internal module designed to turn off security systems. Using the Bring-Your-Own Vulnerable Driver (BYOVD) technique, BlackSanta loads exploitable kernel drivers, thereby granting low-level system access.

It then systematically turns off antivirus programs, shuts down endpoint detection and response (EDR) agents, and weakens Microsoft Defender protections.

The malware also suppresses system logging and removes visibility from security consoles, ensuring that exfiltrated data remains undetected.

Strategic Implications

The success of BlackSanta’s attack relies on targeting the HR workflow, which is often overlooked in cybersecurity defenses compared to IT and finance departments.

HR teams frequently interact with external candidates and download attachments, making them a soft target for cybercriminals.

This campaign demonstrates how multi-stage attacks leveraging social engineering, living-off-the-land techniques, and kernel-level exploitation can bypass traditional defenses.

The attack also highlights the increasing operationalization of BYOVD-based EDR neutralization. This technique allows attackers to turn off aryaka security tools at a very low level.

As a result, organizations must rethink their security posture, extending monitoring beyond traditional phishing detection to include driver-level telemetry and behavioral analysis.

In conclusion, the BlackSanta malware campaign serves as a reminder that all workflows, even those within HR departments, must be defended with the same rigor as core IT operations.

Organizations should adopt comprehensive threat detection strategies that address the evolving tactics and techniques used by modern threat actors.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post BlackSanta EDR Killer Malware Targets HR Workflows In Multi-Layered Attack appeared first on Cyber Security News.