BLACKSANTA is described as an EDR killer campaign targeting HR workflows, with Russian-speaking threat actors delivering a malware payload hidden in steganographic image files to avoid detection. The operation, operating for about a year, delivers “BlackSanta” by loading signed but exploitable kernel drivers to gain low-level system access, enabling data exfiltration while maintaining HTTPS communication with its C2 server.
The attack chain begins with a resume-themed ISO file sent through recruitment channels; when opened, it triggers a malicious shortcut (LNK), then obfuscated PowerShell commands extract hidden payloads from the steganographic image and sideload a DLL using legitimate software, according to Aryaka Threat Labs. Once executed, the malware performs checks to avoid analysis, and then deploys the EDR killer to disable protections, suppress logging, and remove visibility from security consoles, making detection harder.
The report quotes Aditya K. Sood, vice president of security engineering and AI strategy at Aryaka, describing BlackSanta as a BYOVD-based EDR killer and urging security teams to strengthen endpoint protections and monitoring in HR environments. March 10, 2026.