- Russian hackers are targeting HR departments using phishing emails disguised as job applications.
- Victims are tricked into downloading ISO files that contain malicious scripts and shortcut files.
- The attack uses DLL side loading to run malware through a legitimate PDF reader.
- BlackSanta disables endpoint security tools and suppresses system alerts to maintain access.
Cybersecurity researchers have uncovered a long running malware campaign targeting Human Resources teams across organizations worldwide. The operation revolves around a newly identified malware strain known as BlackSanta, which appears specifically designed to bypass modern security defenses.
The campaign was identified by security firm Aryaka, which believes the attacks have been active for at least a year. While the number of affected organizations remains unclear, the infection chain shows a high level of planning and technical sophistication.
The attackers are focusing on HR departments for a simple reason. HR teams regularly receive resumes and job applications from unknown sources. This routine makes them more likely to open attachments or download files sent by unfamiliar contacts, providing an ideal entry point for threat actors.
In this campaign, the attackers exploit that trust by disguising malicious files as job applications or candidate resumes.
Phishing emails disguised as job applications
The attack typically begins with a phishing email that appears to come from a job seeker. The message claims to include a resume or portfolio and directs the recipient to download the files from a cloud storage link.
Instead of attaching the document directly, the email includes a link to a folder hosted on a file sharing service such as Dropbox. Inside that folder is an ISO file that supposedly contains the candidate’s resume.
ISO files are disk image files that replicate the structure of optical discs. While they were once widely used for distributing software or storing data, they are rarely used today for everyday file sharing. Because many people are unfamiliar with them, attackers increasingly use ISO files to hide malicious content and bypass email security filters.
If the HR employee downloads and extracts the ISO file, they will find several items inside. Among them is a shortcut file and a PowerShell script, both of which play a key role in the infection process.
Once triggered, the PowerShell script quietly downloads additional components from remote servers. This includes a malicious dynamic link library file along with a legitimate PDF reader application.
Side loading helps the malware evade detection
The attackers rely on a technique known as DLL side loading to activate their malware. By pairing a malicious DLL with a legitimate application, they can trick the system into executing harmful code while appearing to run a trusted program.
When the PDF reader launches, it unknowingly loads the malicious DLL alongside its normal components. This allows the attackers to run their code without raising immediate suspicion from security tools.
Before proceeding further, the malicious DLL performs several checks on the system. It looks for signs that the device may be running inside a virtual machine or a security sandbox. These environments are often used by cybersecurity analysts to study malware safely.
If the malware detects such an environment, it may halt its activity to avoid being analyzed. If no such indicators are found, the infection process continues.
At this stage the system downloads additional payloads, including the primary threat known as BlackSanta.
BlackSanta disables security protections
BlackSanta is described by researchers as an EDR killer. Endpoint Detection and Response tools are commonly used by organizations to monitor systems for suspicious behavior and stop advanced threats.
Instead of attempting to evade these tools, BlackSanta focuses on shutting them down entirely. Once active, it attempts to terminate security services associated with EDR solutions installed on the machine.
The malware is also capable of adjusting its behavior depending on which security platform it detects. This flexibility allows it to disable protections more effectively and maintain persistence inside the compromised system.
In addition, BlackSanta can suppress Windows notifications that might otherwise alert users to suspicious activity. By preventing warning messages from appearing, the malware increases the chances that the attack will go unnoticed for longer periods.
This ability to neutralize security tools gives attackers greater freedom to deploy additional payloads, steal information, or move laterally within the network.
Although researchers observed the malware being used in real world attacks, they did not disclose the exact number of organizations affected. The identity of the attackers also remains uncertain.
However, analysts say the techniques used in the campaign do not appear to match the patterns typically associated with well known state sponsored hacking groups.
What is clear is that the operation demonstrates how attackers continue to evolve their tactics. By combining social engineering, file based deception, and sophisticated malware, the campaign creates a powerful pathway into corporate networks.
Organizations are therefore being urged to strengthen email security awareness, especially among HR teams that frequently interact with external contacts.
Follow TechBSB For More Updates
