Hiring managers open files from strangers every single day. That routine habit is exactly what a Russian-speaking threat actor has been exploiting for more than a year. Cybersecurity researchers at Aryaka recently uncovered the BlackSanta malware campaign: a sophisticated operation that disables endpoint security tools at the kernel level before the victim notices anything wrong.
The campaign ran largely undetected from early 2025 into 2026. Researchers could not retrieve the final payload because the command-and-control server was offline during their investigation.
Why HR Departments Make the Perfect Target
Unlike most phishing campaigns that cast a wide net, BlackSanta malware targets human resources and recruitment professionals specifically. The reasoning is deliberate. HR staff regularly download documents from unfamiliar senders. They process large volumes of applicants under time pressure. They also handle sensitive data including employee records, payroll details, and personally identifiable information. Yet most organizations apply far less security scrutiny to HR environments than to IT or finance.
Aryaka researchers believe the attack starts with a spear-phishing email linking to an ISO image file on Dropbox. The file looks like a legitimate resume hosted on a familiar platform. Nothing appears suspicious to someone whose daily job involves opening files from people they have never met.
Inside the BlackSanta Infection Chain
Once the victim mounts and opens the ISO, a multi-stage attack begins. The archive contains four files: a Windows shortcut (.LNK) disguised as a PDF, a PowerShell script, a PNG image, and an ICO file.
The shortcut launches PowerShell, which runs the script. The script loads the PNG file and extracts malicious code hidden inside it using least significant bit (LSB) steganography. It then executes that payload directly in system memory, without writing anything suspicious to disk.
Next, the malware checks for sandbox environments, virtual machines, and debugging tools. If it detects analysis, it stops running. On a genuine machine, it sends a system fingerprint to a command-and-control server over encrypted HTTPS, downloads additional payloads, and injects them into legitimate Windows processes through process hollowing.
How BlackSanta Kills Endpoint Security
The most alarming component of this campaign is BlackSanta itself. Security researchers classify it as an EDR killer: a tool that neutralizes endpoint detection and response software before deploying the final payload. It achieves this through a technique called BYOVD, or Bring Your Own Vulnerable Driver.
Rather than attacking security tools directly, BlackSanta loads two legitimate but vulnerable signed drivers: RogueKiller Antirootkit (v3.1.0) from Adlice Software, and IObitUnlocker.sys (v1.2.0.1) from IObit. Both drivers carry valid digital signatures, so most security systems allow them without question. BlackSanta then uses them to gain deep kernel-level access and proceeds to:
- Scan running processes against a hardcoded list of antivirus and EDR executables
- Terminate any matches at the kernel level, bypassing standard OS protections
- Add Microsoft Defender exclusions for specific file types
- Reduce telemetry and automatic sample submission to Microsoft’s security cloud
- Suppress Windows notifications so the user receives no alerts during the attack
The result is a machine where security tools are off, logs are thin, and the attacker operates without resistance.
What the Attackers Take
With defenses neutralized, the BlackSanta malware collects data freely. It targets cryptocurrency artifacts such as wallet files, browser-stored keys, and exchange credentials. It also gathers system information, user account details, and host configurations, then exfiltrates everything through encrypted channels.
Aryaka could not identify the specific organizations hit or the final payload delivered. By tracing connected infrastructure, however, researchers confirmed the operation ran unnoticed for well over a year. The threat actor maintained strong operational security throughout, leaving very little behind for investigators to work with.
What Organizations Should Do
The BlackSanta malware campaign exposes a systemic gap in enterprise security: HR workflows rarely receive the same defensive attention as IT or finance. Security researcher John Bambenek noted that attacks on HR departments have grown steadily, with some campaigns redirecting payroll deposits to attacker-controlled accounts. Mika Aalto, CEO at Hoxhunt, added that training staff on the exact attacks they face is one of the most effective defenses available.
On the technical side, organizations should restrict ISO mounting for employees who have no legitimate need to open disk images. Keeping Microsoft’s Vulnerable Driver Blocklist updated directly counters BYOVD-based attacks. Monitoring for unexpected EDR process termination also provides an early warning, since BlackSanta’s core activity is itself detectable if the right visibility exists beforehand.
Final Thoughts
The BlackSanta malware campaign ran for over a year because it targeted people, not systems. Threat actors chose HR departments precisely because opening unknown files is part of the job. A campaign combining steganography, kernel-level driver abuse, and encrypted exfiltration is deliberate and well-resourced. Organizations that treat recruitment workflows as a low-risk area are leaving a door open that sophisticated attackers already know how to walk through.
