Russian-speaking threat actors have been running a year-long campaign targeting HR recruitment workflows with a multi-stage attack chain dubbed 'BlackSanta.' Attackers deliver malicious ISO files disguised as resumes through recruitment channels. When opened, the file executes a malicious LNK shortcut that runs obfuscated PowerShell commands, extracts hidden payloads from steganographic images, and sideloads a malicious DLL via a legitimate signed application. The final payload is a BYOVD-based EDR killer that loads vulnerable kernel drivers to gain low-level system access, disabling antivirus, EDR agents, Microsoft Defender, and system logging. This clears the path for stealthy data exfiltration over HTTPS to a C2 server. Security researchers recommend organizations apply the same defensive rigor to HR systems as they do to finance and IT administrative functions, including endpoint hardening, attachment controls, and security awareness training for recruiting teams.
Table of contents
Multi-Step Attack FlowTreating Targets as Naughty, Not NiceHR Systems Need Better SecuritySort: