BlackSanta EDR Killer is emerging as one of the most sophisticated threats in the ever-evolving landscape of cyber threats. Attackers continue to refine their tactics to bypass modern defenses. A recently uncovered campaign demonstrates this perfectly: a sophisticated, year-long operation by a Russian-speaking threat actor that specifically targets human resources (HR) departments and recruiters with malware delivering the BlackSanta EDR Killer.
The Campaign: Resume-Themed Spear-Phishing
Researchers at Aryaka Threat Labs detailed this stealthy campaign, which has operated undetected for over a year (as of March 2026). The attackers use highly targeted spear-phishing emails that lure HR professionals into downloading malicious ISO image files disguised as legitimate resumes or applicant documents. These files are often hosted on cloud storage services like Dropbox for easy delivery. This approach not only evades initial detection but also leverages the trust HR professionals place in applicant materials.
Once the victim mounts the ISO (which appears as a normal drive), it contains:
- A Windows shortcut (.LNK) file masquerading as a PDF resume
- A PowerShell script
- An image file hiding additional malicious code via steganography
- An .ICO icon file
Clicking the shortcut executes the PowerShell script, which extracts and runs hidden payloads in memory. This leads to downloading a ZIP archive containing a legitimate application (SumatraPDF) sideloaded with a malicious DLL (DWrite.dll) — a classic DLL sideloading technique.
The infection chain includes system fingerprinting, anti-analysis checks (to detect sandboxes, VMs, or debuggers), disk-write tests, and modifications to weaken Microsoft Defender (adding exclusions for certain file types and reducing telemetry).
BlackSanta EDR Killer: The Dedicated Defense-Neutralization Module
The campaign’s most dangerous payload is the BlackSanta EDR Killer, a dedicated defense-neutralization module. Rather than being a full ransomware or stealer itself, BlackSanta EDR Killer’s primary role is to silence endpoint security tools before follow-on malicious activities begin. Its innovative use of steganography and memory execution makes it particularly challenging for traditional security measures.
Key capabilities include:
- Enumerating running processes and comparing them against a hardcoded list of antivirus, EDR, SIEM, and forensic tools
- Using Bring Your Own Vulnerable Driver (BYOVD) techniques — loading legitimate but vulnerable kernel drivers like RogueKiller Antirootkit (truesight.sys) and IObitUnlocker.sys — to gain low-level access and terminate protected processes at the kernel level
- Suppressing Windows security notifications to reduce user alerts
- Disabling or limiting Microsoft Defender telemetry and sample submission
This allows attackers to maintain persistence, conduct reconnaissance, harvest credentials, and potentially exfiltrate sensitive HR data (such as employee records, PII, or payroll information) with minimal detection. The use of BYOVD and these specific drivers has been seen in other malware families (e.g., some ransomware and cryptomining operations), but the BlackSanta EDR Killer stands out for its focused role as an EDR-neutralization tool.
Why HR Departments Are Prime Targets
HR teams handle vast amounts of sensitive personal data, making them high-value targets for data theft, extortion, or initial access brokers selling access to larger organizations. In today’s digital age, where remote work and digital recruitment are standard, these attacks exploit the very processes that keep businesses running smoothly. The potential fallout includes not only data breaches but also regulatory compliance issues under laws like GDPR or CCPA. Attackers exploit trust in “resume” attachments and the routine nature of opening applicant files, turning everyday workflows into infection vectors.
How Organizations Can Protect Themselves
This campaign underscores the importance of layered defenses beyond basic antivirus. To defend against the BlackSanta EDR Killer, organizations should implement the following measures:
- User awareness training — especially for HR and recruiting staff — on verifying attachments, avoiding suspicious cloud links, and recognizing social engineering tied to job applications. Such training can significantly reduce the success rate of spear-phishing attacks.
- Restrict execution of ISO files, PowerShell scripts, and unsigned drivers in sensitive environments.
- Endpoint hardening — monitor for vulnerable driver loads (BYOVD), process termination anomalies, and unusual Defender configuration changes.
- Advanced EDR/XDR solutions that detect kernel-level tampering, behavioral anomalies, and memory-based execution.
- Network segmentation and strong email filtering to block malicious cloud-hosted files.
At Black Belt Secure, we help organizations implement robust endpoint protection strategies, conduct threat hunting, and respond to advanced persistent threats like these. If your HR team or overall security posture has been exposed to similar lures, or if you’d like a no-obligation assessment of your defenses against EDR evasion techniques, reach out to our team today.
Stay vigilant — threats like the BlackSanta EDR Killer show that attackers are getting better at staying silent and targeting the human element in your organization.