惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
U
Unit 42
H
Help Net Security
博客园_首页
雷峰网
雷峰网
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园 - 【当耐特】
Recent Announcements
Recent Announcements
Recorded Future
Recorded Future
aimingoo的专栏
aimingoo的专栏
爱范儿
爱范儿
C
CXSECURITY Database RSS Feed - CXSecurity.com
The Cloudflare Blog
S
Security @ Cisco Blogs
M
MIT News - Artificial intelligence
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
Spread Privacy
Spread Privacy
The GitHub Blog
The GitHub Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
K
Kaspersky official blog
MyScale Blog
MyScale Blog
阮一峰的网络日志
阮一峰的网络日志
C
CERT Recently Published Vulnerability Notes
V
Vulnerabilities – Threatpost
WordPress大学
WordPress大学
C
Cisco Blogs
G
Google Developers Blog
N
News and Events Feed by Topic
P
Palo Alto Networks Blog
Apple Machine Learning Research
Apple Machine Learning Research
Schneier on Security
Schneier on Security
博客园 - 聂微东
Security Latest
Security Latest
Security Archives - TechRepublic
Security Archives - TechRepublic
O
OpenAI News
云风的 BLOG
云风的 BLOG
IT之家
IT之家
PCI Perspectives
PCI Perspectives
Microsoft Security Blog
Microsoft Security Blog
NISL@THU
NISL@THU
小众软件
小众软件
Scott Helme
Scott Helme
大猫的无限游戏
大猫的无限游戏
L
LINUX DO - 最新话题
Microsoft Azure Blog
Microsoft Azure Blog
Simon Willison's Weblog
Simon Willison's Weblog
N
News and Events Feed by Topic
F
Fortinet All Blogs
The Last Watchdog
The Last Watchdog

Aryaka

How Unified SASE Improves China Connectivity: Performance, Security, And Compliance | Aryaka Blog Why China Connectivity Remains A Major Enterprise Challenge For Global IT Teams | Aryaka Blog The Market Has Spoken (Twice): Why Enterprises Choose Aryaka For SD‑WAN And Unified SASE AI Performance Is A Network Problem, Not Just Compute From ZIP File To Crpx0 Ransomware: Anatomy Of A Multi-Stage Attack Aryaka AI-Ready Network: Why Your WAN Fails For AI Workloads AI Is Redefining Cybersecurity: How CISOs Can Stay Ahead In An AI‑Driven Threat Landscape | Aryaka Blog Aryaka Named Leader In G2 Spring 2026 For SD-WAN & Cloud Security Governing Tens Of Thousands Of AI Agents: Why Policy Chaining Matters For Scalable Runtime Governance | Aryaka Blog Enterprise AI Agent Governance: Build, Deployment & Runtime Explained Is Your Outdated Network Holding Your Business Back? Why Modernization Matters For Cloud, Security, And IT Costs | Aryaka Blog Addressing The “God Key” Challenge In Agentic AI For MCP Servers: Why You Need MCP-Aware, AI-Aware ZTNA | Why Browser Security Alone Will Not Protect Us In The Agentic AI Era Aryaka Modern Workplaces Need A New Meaning Of “Site”: How AI>Secure Uses Logical & Physical Sites For Consistent GenAI Security | Aryaka Blog How Modern Security Platforms Organize Rules | SASE & SSE Securing OpenClaw Agents From ClawHavoc Supply-Chain Attacks With AI-Driven Protection Securing OpenClaw: Why ZTNA Is Critical For Enterprise AI Agent Authentication
Kernel In The Crosshairs: How The BlackSanta EDR-Killer Campaign Targets Recruitment Workflows | Aryaka Blog
Aditya K Sood · 2026-03-10 · via Aryaka

Kernel in the Crosshairs: The BlackSanta Threat Campaign Targeting Recruitment Workflows

The Resume that wasn’t a Resume

It begins in one of the most trusted workflows inside any organization: hiring. An HR professional receives what appears to be a perfectly normal resume. The candidate profile seems relevant. The hosting link points to a familiar cloud storage service. Nothing feels suspicious. A quick download, a double click, and an ISO file mounts, and the intrusion begins.

Threat Actors targeting Recruitment Workflows

Threat actors increasingly target recruitment workflows because they exploit predictable human behavior. Recruitment teams routinely open external attachments, download resumes from unfamiliar sources, and operate under significant time pressure to process large volumes of applicants. Unlike core IT teams, HR environments may not always be subject to the same level of hardened security controls. Yet, they often handle sensitive personally identifiable information (PII) and may have access to internal enterprise systems. This combination of trust, urgency, external interaction, and valuable data makes recruitment functions a soft target with high reward potential—an opportunity this campaign deliberately weaponizes.

Dissecting the Threat Campaign

Let’s discuss the threat campaign briefly from a technical perspective.

The Infection Chain: Precision in Layers

  • Stage 1 – Initial Access: The attack begins with a resume-themed ISO file delivered through recruitment channels and hosted on a trusted cloud infrastructure. When the victim mounts the ISO and opens its contents, a malicious shortcut (LNK) is executed, triggering the next phase without raising immediate suspicion.
  • Stage 2 – Execution and Payload Staging: The shortcut launches obfuscated PowerShell commands that extract hidden payloads embedded within a steganographic image. A malicious DLL is then sideloaded using a legitimate signed application, allowing the attacker’s code to run under the guise of trusted software.

Command-and-Control (C2) Activity.

Once the system passes validation, the malware establishes encrypted HTTPS-based command-and-control communication. It transmits detailed system-fingerprinting data to the attacker’s infrastructure and retrieves cryptographic material needed to decrypt embedded strings and instructions at runtime. Commands are dynamically decrypted and executed in memory, with additional payloads delivered through process hollowing and fileless techniques to minimize forensic artifacts.

Defense Evasion and Environment Validation

Before activating its full capabilities, the malware conducts rigorous environment validation to evade detection. It inspects hostnames and username patterns, verifies system locale settings, and scans for virtualization artifacts commonly associated with sandboxes. It also checks for debugging tools and security monitoring processes. With connectivity established, additional payloads are injected via process hollowing. BlackSanta, a dedicated BYOVD-based component, disables antivirus and EDR protections at the kernel level, clearing the path for credential harvesting, system reconnaissance, and eventual data exfiltration with minimal resistance.

Data Collection Objectives

After compromising endpoint defenses, the malware begins harvesting valuable data from the victim’s machine, including cryptocurrency-related artifacts, etc. The collected data is then exfiltrated discreetly over encrypted channels, allowing the theft operation to proceed with limited visibility once security controls have been weakened.

The Most Dangerous Component: BlackSanta, the EDR Killer

The campaign’s most alarming feature is an internal module dubbed BlackSanta, the EDR killer. This manipulation is not a case of basic tampering; BlackSanta deploys a Bring-Your-Own Vulnerable Driver (BYOVD) technique. First, it loads legitimate but exploitable kernel drivers, gaining low-level system access. Second, it systematically turns off security tools. Once BlackSanta is active, it:

  • Terminates antivirus processes.
  • Shuts down EDR agents.
  • Weakens Microsoft Defender protections.
  • Suppresses system logging.
  • Removes visibility from security consoles.

In effect, it clears the runway before exfiltration. As the BlackSanta malware uses signed drivers, detection becomes significantly more difficult.

Advanced Threat Campaign. Why?

It is not opportunistic malware. It is operationally disciplined intrusion engineering. This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft. This operation demonstrates:

  • Workflow-specific targeting
  • Multi-stage execution
  • Living-off-the-land techniques
  • Steganographic payload delivery
  • Memory-resident execution
  • Anti-analysis safeguards
  • Kernel-level security bypass

Read the full report here:
https://www.aryaka.com/reports-and-guides/blacksanta-edr-killer-threat-report/

Strategic Implications

  • Recruitment workflows represent a systemic blind spot within the enterprise.
  • BYOVD-based EDR neutralization is becoming increasingly operationalized.
  • Security monitoring must extend beyond traditional phishing detection into behavioral and driver-level telemetry.

Conclusion

This campaign demonstrates a multi-layered intrusion model blending social engineering, living-off-the-land execution, steganographic concealment, kernel-level exploitation, and encrypted C2 coordination. Recruitment pipelines, often perceived as routine operations, are now high-value attack surfaces. Organizations should treat HR workflows with the same defensive rigor as finance and IT administrative functions.