Russian threat actors have been running a year-long spear-phishing campaign targeting HR and recruiting staff using fake resume files. The attack chain involves ISO files delivered via cloud storage, obfuscated PowerShell scripts, steganographic image payloads, and DLL sideloading. The most notable component is 'BlackSanta,' an EDR-killer module that uses a Bring-Your-Own Vulnerable Driver (BYOVD) technique to disable antivirus, EDR agents, Microsoft Defender, and system logging before exfiltrating sensitive data over encrypted HTTPS channels to a C2 server. The campaign has remained largely undetected for over a year due to runtime encryption, sandbox evasion, and kernel-level manipulation.
Sort: