The Resume Trap: How ‘BlackSanta’ Malware Uses Fake CVs to Blind EDRs and Hijack HR Systems

Aryaka Threat Labs has unmasked a sophisticated malware operation dubbed BlackSanta. This Russian-speaking threat actor has spent over a year operating in the shadows, specifically targeting the gatekeepers of modern enterprises: HR and recruitment personnel.By exploiting the high volume of documents handled by these departments, the attackers have turned the standard resume into a dangerous Trojan horse.

The campaign relies on classic social engineering with a modern, high-tech twist. Potential victims receive emails containing links to download files that appear to be legitimate resumes.

According to the report:

“One observed sample, ‘Celine_Pesant.iso’, used a resume-style filename resembling a real person’s name, suggesting targeted attacks against HR and recruitment personnel“.

Once a curious recruiter mounts this ISO file, they are presented with what looks like a PDF. In reality, it is a malicious Windows shortcut (.LNK) that triggers a complex, multi-stage infection chain.

What sets this campaign apart is its titular module: the BlackSanta EDR-Killer. Most malware tries to hide from security software; BlackSanta is designed to hunt it down and neutralize it.

The module is a “specialized EDR-killer module designed to neutralize antivirus and EDR protections before additional malicious payloads are deployed”. By using “Bring Your Own Driver” (BYOVD) techniques, the malware loads vulnerable but legitimate kernel-mode drivers—such as the RogueKiller Antirootkit Driver—to gain low-level system access.

Once embedded, BlackSanta systematically “enumerates active defensive software and systematically suppresses system visibility controls,” ensuring that subsequent data-stealing payloads can operate in total silence.

The sophistication of the “BlackSanta” actor is evident in their defensive evasion tactics:

• Steganography: The malware hides its secondary PowerShell loader within a seemingly harmless image file (image1.png) using least significant bit (LSB) steganography.
• Environmental Awareness: The payload conducts extensive checks to identify if it is running in a virtual machine, a sandbox, or a debugger.
• Geographic Filtering: The code specifically looks for Russian or CIS environments (using the ru-RU locale) and terminates immediately if found, likely to avoid legal scrutiny in the actor’s home region.
• Runtime Decryption: To baffle forensic analysts, “operational data is dynamically decrypted at runtime,” making static detection nearly impossible.

While the primary objective appears to be the exfiltration of sensitive information, analysis of past infections suggests a particular interest in financial assets. One module delivered via the campaign was found to be a “stealer targeting cryptocurrency wallet artifacts on victims’ machines”.

By effectively blinding the system’s security (EDR) and then quietly siphoning data, the BlackSanta campaign represents a high-level threat to corporate infrastructure.