Threat actors are increasingly targeting human resources (HR) departments by disguising malware as job application documents.
The attack begins with what appears to be a legitimate job application. HR professionals receive a resume hosted on a well-known cloud storage platform, making the file seem trustworthy.
The candidate profile looks realistic and relevant to open positions, giving HR staff little reason to suspect malicious intent.
However, when the file is downloaded and opened, the supposed resume is actually an ISO image.
A recent campaign uncovered by researchers reveals how attackers are abusing recruitment workflows to deliver a sophisticated malware toolkit that includes the BlackSanta EDR killer, a component that can turn off endpoint security protections at the kernel level.
Once mounted and opened, the file silently launches a malicious chain of events. A disguised shortcut file (LNK) triggers the execution process, initiating the first stage of the compromise while appearing harmless to the victim.
BlackSanta EDR Killer Malware
Recruitment workflows are increasingly attractive to cybercriminals because they rely heavily on external communication and frequent document downloads.
HR teams regularly open attachments from unknown applicants, often under tight deadlines, while reviewing large volumes of resumes.
Unlike IT departments, HR systems may not always be secured with advanced monitoring tools or hardened security policies.
At the same time, these systems often store sensitive personally identifiable information (PII) and maintain access to internal corporate platforms. This combination of trust, urgency, and valuable data creates an ideal environment for attackers.
The malware campaign follows a carefully structured multi-layered execution process designed to evade detection.
The first stage begins when the victim opens the ISO file containing the malicious shortcut. This shortcut launches obfuscated PowerShell commands that initiate the next phase of the attack.
During the second stage, the PowerShell script extracts hidden payloads concealed within a steganographic image file. Steganography allows attackers to embed malicious code inside seemingly harmless media files.
A malicious DLL is then sideloaded through a legitimate signed application, enabling the attacker’s code to run under the cover of trusted software.
Once executed, the malware establishes encrypted HTTPS communication with attacker-controlled command-and-control (C2) servers.
The infected system sends system fingerprinting information such as hostname, system configuration, and environment details.
In response, the attackers deliver encrypted instructions that are decrypted and executed directly in memory, reducing the likelihood of detection by traditional security tools.
Defense Evasion and Environment Checks
Before fully activating its capabilities, the malware performs several environment validation checks to avoid automated analysis systems.
It examines system hostnames and usernames, reviews locale settings, and scans for virtualization artifacts typically associated with security sandboxes.
The malware also searches for debugging tools and monitoring software that could expose its activity. If these checks are passed, additional payloads are delivered using process hollowing and fileless techniques designed to leave minimal forensic traces.
One of the most dangerous components of this campaign is a module known as BlackSanta. This malware uses a Bring Your Own Vulnerable Driver (BYOVD) technique to disable security defenses.
BlackSanta loads legitimate but vulnerable kernel drivers to gain deep system privileges. With this access, it can:
- Terminate antivirus processes.
- Disable endpoint detection and response (EDR) agents.
- Weaken Microsoft Defender protections.
- Suppress system logging and monitoring.
- Remove visibility from security consoles.
Because the drivers used in the attack are digitally signed, many security systems struggle to detect the malicious activity.
After neutralizing endpoint protections, the malware begins collecting valuable data from the compromised system.
This includes cryptocurrency-related artifacts and potentially sensitive files stored on the device. The collected information is quietly exfiltrated through encrypted channels, allowing attackers to steal data without triggering immediate alerts.
Security researchers note that the campaign demonstrates a high level of operational maturity. The attack combines multiple advanced techniques, including social engineering, living-off-the-land execution, steganography-based payload delivery, and kernel-level security bypass mechanisms.
Key characteristics of the campaign include:
- Workflow-specific targeting of HR departments.
- Multi-stage malware execution chains.
- Memory-resident payload delivery.
- Steganographic concealment techniques.
- Advanced anti-analysis and sandbox evasion checks.
The campaign highlights a growing blind spot in enterprise security strategies. Recruitment workflows, often considered routine administrative processes, are increasingly becoming high-value attack surfaces.
Organizations should extend security monitoring beyond traditional phishing defenses and incorporate behavioral monitoring and driver-level telemetry.
HR departments should also be included in security awareness programs and protected with the same level of defensive controls typically reserved for finance or IT administrative teams.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
