BlackSanta Malware Targets HR: New EDR Killer & Stealthy Tactics
A new, sophisticated malware campaign dubbed BlackSanta is specifically targeting Human Resources (HR) departments, employing a combination of social engineering and advanced evasion techniques to steal sensitive information. The campaign, which has been active for over a year, utilizes an “EDR killer” component designed to disable endpoint detection and response systems, allowing malicious payloads to operate undetected. Researchers at Aryaka, a network and security solutions provider, first identified the threat and have been tracking its evolution.
How BlackSanta Operates
The attack chain begins with spear-phishing emails, suspected by Aryaka researchers, that lure targets into downloading ISO image files. These files are disguised as resumes and hosted on common cloud storage services like Dropbox. Once opened, the ISO file reveals a seemingly innocuous set of files: a Windows shortcut (.LNK) masquerading as a PDF, a PowerShell script, an image and a .ICO file. However, Here’s a carefully constructed deception.
The shortcut file, when clicked, launches PowerShell and executes the embedded script. This script then extracts hidden data from the image file using a technique called steganography, executing it directly in system memory. Crucially, the script also downloads a ZIP archive containing a legitimate SumatraPDF executable alongside a malicious Dynamic Link Library (DLL) named DWrite.dll. This DLL is then loaded using a technique known as DLL sideloading, allowing the malicious code to run within the context of a trusted application.
Source: Aryaka
Following initial compromise, the malware performs system fingerprinting, gathering information about the compromised system and sending it to a command-and-control (C2) server. It then conducts extensive checks to identify if it’s running within a sandbox, virtual machine, or debugging environment – all common tools used by security researchers. If any of these are detected, the malware halts execution to avoid analysis. BlackSanta also actively weakens host security by modifying Windows Defender settings, including adding exclusions for files with the extensions ‘.dls’ and ‘.sys’, and reducing telemetry data sent to Microsoft’s security cloud. Disk-write tests are performed, and additional payloads are downloaded from the C2 server and executed through a process known as process hollowing, injecting malicious code into legitimate processes.
The BlackSanta EDR Killer Component
At the heart of this campaign is the BlackSanta EDR killer, a module specifically designed to disable endpoint security solutions. This component enumerates running processes, comparing their names against a large, hardcoded list of antivirus, EDR (Endpoint Detection and Response), SIEM (Security Information and Event Management), and forensic tools. Once identified, the malware uses loaded drivers to unlock and terminate these processes at the kernel level, effectively blinding security monitoring. A partial list of targeted security products is publicly available in research from Aryaka here.

Source: Aryaka
To further evade detection, BlackSanta also suppresses Windows notifications, minimizing or completely silencing user alerts that might indicate a security breach. This stealthy approach allows the attackers to operate undetected for extended periods.
Bring Your Own Driver (BYOD) and Elevated Privileges
Researchers discovered that the malware also downloads Bring Your Own Driver (BYOD) components, specifically the RogueKiller Antirootkit driver v3.1.0 from Adlice Software and IObitUnlocker.sys v1.2.0.1 from IObit. This tactic isn’t new; similar techniques have been observed in other malware operations, including the DragonForce ransomware (BleepingComputer) and GhostEngine mining attacks (BleepingComputer). These drivers provide the malware with low-level access to system memory and processes, enabling it to bypass file and process locks and manipulate kernel hooks for enhanced control.
Who is Targeted and What’s at Risk?
The campaign’s consistent focus on HR departments suggests the attackers are specifically seeking sensitive employee data, including personally identifiable information (PII), payroll details, and potentially intellectual property. The attackers are described as a Russian-speaking threat actor, though specific attribution remains unconfirmed. The targeted nature of the campaign and the sophistication of the techniques employed indicate a well-resourced and highly motivated adversary. Organizations relying on standard endpoint security solutions may be particularly vulnerable, as BlackSanta is designed to bypass these defenses.
Operational Security and Persistence
Aryaka researchers emphasize the threat actor demonstrates strong operational security, utilizing context-aware and stealthy infection chains. The campaign has been running unnoticed for over a year, highlighting the effectiveness of the attackers’ evasion tactics. While the researchers were unable to retrieve the final payload used in the observed case due to C2 server unavailability, they identified additional infrastructure linked to the same threat actor, revealing the scale of the operation.
Mitigation and Next Steps
Given the campaign’s focus on HR departments and the use of spear-phishing emails, employee training on identifying and reporting suspicious emails is crucial. Organizations should also review and strengthen their email security protocols, including implementing robust spam filtering and phishing detection mechanisms. Regularly updating endpoint security solutions and ensuring that Windows Defender is properly configured are also essential steps. Monitoring network traffic for communication with known malicious IP addresses and domains can help detect and prevent infections. The researchers at Aryaka continue to monitor the threat and provide updates as new information becomes available. Organizations should consult security advisories and threat intelligence reports to stay informed about the latest developments and adjust their defenses accordingly.
Further investigation is needed to fully understand the scope of the campaign, the specific data targeted, and the ultimate goals of the attackers. The ongoing analysis of BlackSanta and its components will undoubtedly reveal new insights into the evolving tactics of sophisticated threat actors.