A Russian-speaking threat actor is targeting corporate HR teams with fake job applications delivered as ISO disk images hosted on legitimate cloud storage. Once opened, the ISO mounts and executes hidden commands that unpack malware concealed inside an image file. The campaign's standout component, dubbed 'BlackSanta,' is an EDR killer that uses the Bring Your Own Vulnerable Driver (BYOVD) technique to load legitimate but flawed kernel drivers, gaining deep system access to disable antivirus, EDR agents, and Microsoft Defender. With defenses neutralized, the malware exfiltrates sensitive files and cryptocurrency artifacts over encrypted channels. Aryaka researchers highlight that HR workflows—where staff routinely download files from strangers under time pressure—have become an increasingly attractive attack vector that organizations should defend with the same rigor as finance and IT systems.
Sort: