● Dark Reading 📅 10/03/2026 à 14:30

'BlackSanta' EDR Killer Targets HR Workflows

Cybersécurité 👤 Elizabeth Montalbano
Illustration
Threat IntelligenceCyberattacks & Data BreachesEndpoint SecurityRemote WorkforceNews'BlackSanta' EDR Killer Targets HR WorkflowsA campaign by Russian-speaking cyberattackers hijacks workflows to deliver security-busting malware, allowing attackers to steal data without detection.Elizabeth Montalbano,Contributing WriterMarch 10, 20263 Min ReadSource: Tatiana Koroleva via Alamy Stock PhotoRussian-speaking threat actors are targeting human resources (HR) workflows with an attack campaign that conceals a malicious tool within steganographic image files, which can bust enterprise detection and response (EDR) systems. The 'BlackSanta' threat campaign, which has been operating for about a year, delivers not gifts to those on the receiving end of attacks, but instead eponymous malware that can disable security protections at a deep system level, according to a report by Aryaka Threat Labs today, shared with Dark Reading.This allows attackers to exfiltrate sensitive data from infected systems while maintaining HTTPS communication with its command-and-control (C2) server, "with little chance of detection," Aditya K. Sood, vice president of security engineering and AI strategy at Aryaka, says. "In easier terms, BlackSanta is a bring-your-own-vulnerable-device (BYOVD)-based EDR killer," he tells Dark Reading about the ultimate payload of the campaign.Related:Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026To achieve its end goal, attackers target standard HR workflows, in which hiring teams frequently open résumés and attachments sent by job applicants, "which unintentionally creates an easy entry point for attackers," Sood says. "Because recruiters often work under time pressure and HR systems may not be as tightly secured as other parts of the organization, recruitment workflows can become an attractive target for cyber threats."The BlackSanta Multistep Cyberattack FlowThe attack begins with a résumé-themed optimal disc image (ISO) file delivered through typical recruitment channels and hosted on a trusted cloud infrastructure, aiming to fool recruiters into thinking the file is safe. However, when someone opens the file, it executes a malicious shortcut (LNK), triggering the next phase without raising immediate suspicion.The shortcut launches obfuscated PowerShell commands that extract hidden payloads embedded within a steganographic image, sideloading a malicious DLL using a legitimate signed application, according to the report. This allows the attacker's code to run under the guise of trusted software.Once the malware is executed, it does extensive validation prior to full execution to ensure it's avoiding controlled analysis environments, Sood wrote in the report. "The checks focus on identifying virtual machines, debuggers, sandbox environments, analysis tools, and low-resource or emulated systems."Treating Targets as Naughty, Not NiceOnce it becomes clear that the environment is a legitimate system, the malicious code deploys its ultimate payload: the EDR killer BlackSanta, which loads legitimate but exploitable kernel drivers — the "OVD" of its BYOVD capabilities — to gain low-level system access. Related:Attackers Abuse LiveChat to Phish Credit Card, Personal DataAnd once BlackSanta is active, it starts disabling security protections that systems rely on to detect malware, including terminating antivirus (AV) processes, shutting down EDR agents, weakening Microsoft Defender protections, suppressing system logging, and removing visibility from security consoles."In effect, it clears the runway before exfiltration," according to the report. "As the BlackSanta malware uses signed drivers, detection becomes significantly more difficult."Once the tool clears the way, attackers gain a foothold in a system through what Sood called an operation that features "disciplined intrusion engineering." From there, they can exfiltrate sensitive data and send it back to the attackers' C2 without interference from security protections."This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft," Sood wrote.HR Systems Need Better SecurityHR systems are an often overlooked part of security strategies, as recruitment pipelines are "often perceived as routine operations," Sood wrote in the report. However, they are rapidly becoming high-value attack surfaces and going forward should be regarded as such, he said.Related:The Data Gap: Why Nonprofit Cyber Incidents Go UnderreportedIndeed, the campaign illustrates how attackers are targeting operational business workflows — particularly HR pipelines — to bypass perimeter defenses and escalate privileges. Sood advised security teams to apply the same monitoring, attachment controls, and endpoint hardening to HR environments that are typically reserved for more high-valued systems."Organizations should treat HR workflows with the same defensive rigor as finance and IT administrative functions," Sood tells Dark Reading. "Strengthening endpoint protections on HR systems, monitoring unusual activity, and increasing security awareness among recruiting teams can significantly reduce the likelihood that such attacks succeed."About the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth MontalbanoMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportThe ROI of AI in SecurityCybersecurity Forecast 2026ThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore Webinars2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space
← Retour