By Aditya K Sood, VP of Security Engineering and AI Strategy. Aryaka
The Resume that wasn’t a Resume
It begins in one of the most trusted workflows inside any organization: hiring. An HR professional receives what appears to be a perfectly normal resume. The candidate profile seems relevant. The hosting link points to a familiar cloud storage service. Nothing feels suspicious. A quick download, a double click, and an ISO file mounts, and the intrusion begins.
Threat Actors targeting Recruitment Workflows
Threat actors increasingly target recruitment workflows because they exploit predictable human behavior. Recruitment teams routinely open external attachments, download resumes from unfamiliar sources, and operate under significant time pressure to process large volumes of applicants. Unlike core IT teams, HR environments may not always be subject to the same level of hardened security controls. Yet, they often handle sensitive personally identifiable information (PII) and may have access to internal enterprise systems. This combination of trust, urgency, external interaction, and valuable data makes recruitment functions a soft target with high reward potential—an opportunity this campaign deliberately weaponizes.
Dissecting the Threat Campaign
Let’s discuss the threat campaign briefly from a technical perspective.
The Infection Chain: Precision in Layers
- Stage 1 – Initial Access: The attack begins with a resume-themed ISO file delivered through recruitment channels and hosted on a trusted cloud infrastructure. When the victim mounts the ISO and opens its contents, a malicious shortcut (LNK) is executed, triggering the next phase without raising immediate suspicion.
- Stage 2 – Execution and Payload Staging: The shortcut launches obfuscated PowerShell commands that extract hidden payloads embedded within a steganographic image. A malicious DLL is then sideloaded using a legitimate signed application, allowing the attacker’s code to run under the guise of trusted software.
Command-and-Control (C2) Activity
Once the system passes validation, the malware establishes encrypted HTTPS-based command-and-control communication. It transmits detailed system-fingerprinting data to the attacker’s infrastructure and retrieves cryptographic material needed to decrypt embedded strings and instructions at runtime. Commands are dynamically decrypted and executed in memory, with additional payloads delivered through process hollowing and fileless techniques to minimize forensic artifacts.
Defense Evasion and Environment Validation
Before activating its full capabilities, the malware conducts rigorous environment validation to evade detection. It inspects hostnames and username patterns, verifies system locale settings, and scans for virtualization artifacts commonly associated with sandboxes. It also checks for debugging tools and security monitoring processes. With connectivity established, additional payloads are injected via process hollowing. BlackSanta, a dedicated BYOVD-based component, disables antivirus and EDR protections at the kernel level, clearing the path for credential harvesting, system reconnaissance, and eventual data exfiltration with minimal resistance.
Data Collection Objectives
After compromising endpoint defenses, the malware begins harvesting valuable data from the victim’s machine, including cryptocurrency-related artifacts, etc. The collected data is then exfiltrated discreetly over encrypted channels, allowing the theft operation to proceed with limited visibility once security controls have been weakened.
The Most Dangerous Component: BlackSanta, the EDR Killer
The campaign’s most alarming feature is an internal module dubbed BlackSanta, the EDR killer. This manipulation is not a case of basic tampering; BlackSanta deploys a Bring-Your-Own Vulnerable Driver (BYOVD) technique. First, it loads legitimate but exploitable kernel drivers, gaining low-level system access. Second, it systematically turns off security tools. Once BlackSanta is active, it:
- Terminates antivirus processes.
- Shuts down EDR agents.
- Weakens Microsoft Defender protections.
- Suppresses system logging.
- Removes visibility from security consoles.
In effect, it clears the runway before exfiltration. As the BlackSanta malware uses signed drivers, detection becomes significantly more difficult.
Advanced Threat Campaign. Why?
It is not opportunistic malware. It is operationally disciplined intrusion engineering. This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft. This operation demonstrates:
- Workflow-specific targeting
- Multi-stage execution
- Living-off-the-land techniques
- Steganographic payload delivery
- Memory-resident execution
- Anti-analysis safeguards
- Kernel-level security bypass
Read the full report here.
Strategic Implications
- Recruitment workflows represent a systemic blind spot within the enterprise.
- BYOVD-based EDR neutralization is becoming increasingly operationalized.
- Security monitoring must extend beyond traditional phishing detection into behavioral and driver-level telemetry.
Conclusion
This campaign demonstrates a multi-layered intrusion model blending social engineering, living-off-the-land execution, steganographic concealment, kernel-level exploitation, and encrypted C2 coordination. Recruitment pipelines, often perceived as routine operations, are now high-value attack surfaces. Organizations should treat HR workflows with the same defensive rigor as finance and IT administrative functions.
Kind regards
