Recruitment is usually the busiest department in any office, and right now, it is also the most dangerous. A new report released on 11 March 2026 by the research firm Aryaka has identified a surge in a specific type of cyberattack that doesn’t target IT experts, but HR staff instead. It is a classic case of hackers exploiting the one thing recruiters have to do every day: open files from strangers.
The threat, dubbed the BlackSanta malware campaign by Aryaka researchers, is believed to be the work of a Russian-speaking group that has been operating quietly for over a year. Their method is surgical; they target the specific workflows of recruiters, sending harmless-looking emails with links to CVs on sites like Dropbox. In one documented case, a file for a candidate named “Celine_Pesant” was used to trick staff into downloading an ISO file.
Hidden in Plain Sight
This attack is different from a standard virus because of its living-off-the-land strategy, where instead of bringing in obvious malicious files that an antivirus would immediately block, the hackers use the computer’s own legitimate tools against it.
According to the company’s blog post, authored by Aditya Sood, Aryaka’s VP of security engineering, the attackers are using a technique called steganography. For your information, this involves hiding malicious code inside a normal-looking image. While the HR person thinks they are waiting for a PDF to load, the computer is busy reading the image and extracting secret instructions in the background.
What’s worth noting is that this malware is incredibly cautious. It scans the computer’s hostname and locale to make sure it isn’t being watched by security researchers. If it thinks it’s in a sandbox (a secure testing environment used by tech teams), it simply stays dormant.
The most dangerous part of this attack is the BlackSanta module. This is what experts call an EDR Killer. Endpoint Detection and Response, or EDR, is basically the high-tech security guards of a corporate network.
BlackSanta malware uses a method known as BYOVD, or Bring Your Own Vulnerable Driver. It tricks the computer into installing an old, legitimate piece of software that has a known security gap to allow hackers to gain access to the kernel, which is the absolute core of the computer’s operating system.
Once a hacker reaches the kernel, they gain full control of the system. BlackSanta can then disable Microsoft Defender and other security tools without triggering alerts. With defenses turned off, attackers can freely search the system for cryptocurrency wallets and sensitive employee data.
