Russian threat actors have targeted HR employees and recruiters for more than a year with a sophisticated campaign that includes seemingly legitimate files disguised as resumes and new a malware component that can disable endpoint detection and response (EDR) and antivirus protections.

The attackers are taking advantage of the large number of external interactions such workers have with job seekers and the expansive volume of email they open every day, using social engineering to convince them to click on links that lead to files that appear to contain resumes but actually kick off a multi-stage infection chain, according to Aryaka threat researchers.

The malware can quietly compromise a victim’s system, making it even more difficult to detect.

“The malware performs extensive system reconnaissance, collecting information about the operating system, user accounts, and host configuration,” the researchers wrote in a report this week. “It conducts environment checks to detect virtual machines, sandboxes, debuggers, and restricted geographic regions, avoiding execution in monitored or controlled environments.”

There also are multiple evasion techniques tied a component the researchers dubbed “BlackSanta.” The so-called “specialized EDR-killer” suppresses antivirus and EDR protection before other malicious payloads are deployed.

Execution Without Detection

This allows the malware components that come after to execute without being detected and gives the threat actor control of the victims’ systems. While it’s exfiltrating information from the compromised system, it’s continuing to maintain HTTPS communication with its command-and-control (C2) server.

The operation data is encrypted at runtime, making it more difficult to be detected by static detection and forensic analysis tools, they wrote.

“The resilient infrastructure and runtime decryption mechanisms highlight the threat actor’s sophistication and operational security,” the researchers wrote. “This campaign has remained largely unnoticed for over a year, demonstrating the threat actor’s capability to conduct targeted, persistent operations. Its combination of social engineering, advanced evasion techniques, endpoint security neutralization, and data theft underscores the high level of sophistication and persistence.”

HR Under the Gun

The sensitive data HR and recruiting departments handle make them attractive targets for bad actors. Lab 1, which provides an AI-powered data intelligence platform, last year found that in a study of more than 141 million individual file records from 1,297 ransomware and data breach incidents, HR data – such as payroll and resumes – were found in almost 82% of breaches.

In addition, recruitment data, ranging from names, addresses, and contact information found in resumes and cover letters, appeared in 58% of the data breach incidents.

“HR teams manage some of the most sensitive data in any organization, including employee personal information, payroll details, tax records, and benefits data,” KnowBe4 researchers wrote last year. “This makes HR a high-value target for cybercriminals and a critical area of cybersecurity risk that organizations often underestimate.”

An Air of Legitimacy

Aryaka researchers wrote that they were unsure about how the bad actors got initial access in the BadSanta campaign, adding it was likely distributed via spear-phishing email containing links that sent recipients to download ISO files from Dropbox or other cloud storage services.

“While the ISO itself was delivered via cloud storage, it contained malware that downloaded additional payloads from attacker-controlled domains such as resumebuilders.us, reinforcing the resume-themed social engineering lure,” they wrote.

The ISO looked like a standard local drive and its contents seemed legitimate. It contained four files, including a PDF file that held a Windows shortcut that, once executed, would lead to an obfuscated PowerShell script that extracts other payloads embedded in a steganographic image. Then comes a sideloaded malicious DLL that uses a legitimate signed application. This lets the malicious code to appear as trusted software even as it runs its operation.

The malware then sends system data to the C2 server and gets back cryptographic material to use decrypt embedded strings and instructions at runtime. Sensitive data – including cryptocurrency-related artifacts – is collected and then exfiltrated over encrypted channels.

BlackSanta Strikes

“The campaign’s most alarming feature is an internal module dubbed BlackSanta, the EDR killer,” Aditya Sood, Aryaka’s vice president of security engineering and AI strategy, wrote in a blog post. “This manipulation is not a case of basic tampering; BlackSanta deploys a Bring-Your-Own Vulnerable Driver (BYOVD) technique. First, it loads legitimate but exploitable kernel drivers, gaining low-level system access. Second, it systematically turns off security tools.”

It not only terminates antivirus process and shuts down EDR agents, but also weakens protections from Microsoft Defender, suppresses system logging, and removes visibility from security consoles, Sood wrote.

He said the malware itself is not opportunistic. Rather, “it is operationally disciplined intrusion engineering. This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft.”

Recent Articles By Author

• France to Stop Certifying Products Without Quantum-Safe Encryption in 2027
• Malwarebytes Finds Ad Scams Hidden in 40+ World Cup Streaming Sites
• Google Sues Chinese Threat Group Using Gemini AI in Phishing Scams

More from Jeffrey Burt