A new malware campaign targeting human resources and recruiting staff has seen attackers distribute malicious files disguised as job applications, according to Aryaka Threat Research Lab. The operation uses a specialized tool known as BlackSanta to disable endpoint detection and response (EDR) systems after a device has been compromised.
The campaign mainly spreads through phishing emails containing links to files presented as resumes, and when opened the files trigger a multi-stage infection process that quietly deploys malware on the victim’s system. The researchers said the attack chain allows the threat actors to gather detailed system information before launching additional payloads, with the group behind the operation likely described as Russian-speaking.
The malicious files imitate legitimate documents such as resumes, and once downloaded and executed the malware conducts system reconnaissance, checks for virtual machines and sandboxes, performs geographic filtering, attempts to disable antivirus and EDR, and downloads additional payloads after initial compromise. The BlackSanta module itself functions as an EDR-killer, aiming to neutralise security software that might otherwise block malicious activity.