AN ongoing campaign, probably originating from a Russian-speaking threat actor, uses social engineering to coax victims into downloading an ISO file from cloud storage services such as Dropbox. Once mounted, the ISO appears legitimate and its contents trigger the download of malware, including a module that Aryaka has dubbed BlackSanta.
According to Aryaka’s report, BlackSanta is a dedicated BYOVD-based component that enumerates running processes and, when it finds antivirus or EDR executables, terminates them at the kernel level to clear the path for credential harvesting, system reconnaissance and eventual data exfiltration with minimal resistance. The campaign targets HR hiring workflows, banking on the routine opening of attachments, with a typical lure being a resume found inside the mounted ISO.
Aryaka has found evidence the operation has been active for about a year, harvesting data and cryptocurrency artefacts, and describes it as an intrusion engineering operation that blends social engineering, living-off-the-land techniques, steganography and kernel abuse.