A sophisticated year-long malware campaign has been quietly compromising HR departments and job recruiters through weaponized resume files, according to new research from Aryaka. The attack features a previously undocumented EDR killer dubbed “BlackSanta” that systematically disables endpoint security tools before deploying additional malicious payloads.
The Attack Vector: Fake Resume Files
The attack begins when victims receive what appears to be a standard resume file. The malicious payload is delivered via a resume-themed ISO file through recruitment channels, likely distributed through spam emails with links to Dropbox or similar cloud storage services.
“Once mounted, the ISO appeared as a standard local drive, making its contents appear legitimate and encouraging the user to interact with the file,” Aryaka researchers explained.
Inside the ISO is a PDF file that is actually a Windows shortcut (.lnk) file with a hidden extension. When executed, it launches Windows Command Shell, which then launches PowerShell to run a malicious script.
Multi-Stage Payload Delivery
The PowerShell script extracts hidden data from an image file and uses it to execute another script in memory. This script downloads a ZIP file from attacker-controlled domains—including “resumebuilders.us” and “thresumebuilder.com”—containing:
- SumatraPDF.exe – A legitimate PDF reader used as a vehicle for DLL sideloading
- DWrite.dll – The malicious DLL that initiates the attack chain
Extensive Anti-Analysis Measures
The malicious DWrite.dll employs extensive evasion techniques, checking for:
- Virtual machines and emulated systems
- Debuggers and analysis tools
- Sandbox environments
Critically, the malware will terminate execution if it detects the target machine is located in Russia or a CIS country—a strong indicator of Russian-speaking threat actors protecting their own region from infection.
“To further reduce defensive visibility, Windows Defender SpyNet policy registry keys are modified to disable cloud protection and automatic sample submission,” the researchers noted.
BlackSanta: A New EDR Killer
The most concerning component is BlackSanta, a previously undocumented EDR killer that loads vulnerable kernel-mode drivers to gain privileged access to the system:
- RogueKiller Antirootkit (v3.1.0)
- IObitUnlocker.sys (v1.2.0.1)
“Rather than functioning as a simple auxiliary payload, BlackSanta acts as a dedicated defense-neutralization module that programmatically identifies and interferes with protection and monitoring processes prior to the deployment of follow-on stages,” the researchers found.
By targeting endpoint security engines alongside telemetry and logging agents, BlackSanta:
- Directly reduces alert generation
- Limits behavioral logging
- Weakens investigative visibility on compromised hosts
Attribution and Scope
The attackers appear to be Russian-speaking based on the geofencing that excludes Russia and CIS countries from targeting. The campaign has been running silently for over a year, suggesting a targeted, low-noise operation.
“We currently lack telemetry to determine how widespread the campaign is,” said Aditya K. Sood, Aryaka’s VP of Security Engineering & AI Strategy. “However, available artifacts indicate that the activity has likely been running silently for over a year, which may suggest a targeted and low-noise operation.”
Recommendations
Organizations with HR and recruitment departments should:
- Implement strict policies against opening ISO files from external sources
- Train HR staff to recognize social engineering attempts disguised as job applications
- Monitor for DLL sideloading activity involving SumatraPDF or similar legitimate applications
- Block the known malicious domains: resumebuilders.us, thresumebuilder.com
- Implement Memory Integrity (HVCI) to prevent vulnerable driver exploitation
- Review kernel driver loading events for suspicious activity
This campaign demonstrates the evolving sophistication of threat actors in neutralizing endpoint defenses through legitimate-looking delivery mechanisms and kernel-level EDR killing capabilities.
Source: Help Net Security
