'BlackSanta' EDR Killer Targets HR Workflows

THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES ENDPOINT SECURITY REMOTE WORKFORCE NEWS 'BlackSanta' EDR Killer Targets HR Workflows A campaign by Russian-speaking cyberattackers hijacks workflows to deliver security-busting malware, allowing attackers to steal data without detection. Elizabeth Montalbano,Contributing Writer March 10, 2026 3 Min Read SOURCE: TATIANA KOROLEVA VIA ALAMY STOCK PHOTO Russian-speaking threat actors are targeting human resources (HR) workflows with an attack campaign that conceals a malicious tool within steganographic image files, which can bust enterprise detection and response (EDR) systems.  The 'BlackSanta' threat campaign, which has been operating for about a year, delivers not gifts to those on the receiving end of attacks, but instead eponymous malware that can disable security protections at a deep system level, according to a report by Aryaka Threat Labs today, shared with Dark Reading. This allows attackers to exfiltrate sensitive data from infected systems while maintaining HTTPS communication with its command-and-control (C2) server, "with little chance of detection," Aditya K. Sood, vice president of security engineering and AI strategy at Aryaka, says.  "In easier terms, BlackSanta is a bring-your-own-vulnerable-device (BYOVD)-based EDR killer," he tells Dark Reading about the ultimate payload of the campaign. Related:Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 To achieve its end goal, attackers target standard HR workflows, in which hiring teams frequently open résumés and attachments sent by job applicants, "which unintentionally creates an easy entry point for attackers," Sood says. "Because recruiters often work under time pressure and HR systems may not be as tightly secured as other parts of the organization, recruitment workflows can become an attractive target for cyber threats." The BlackSanta Multistep Cyberattack Flow The attack begins with a résumé-themed optimal disc image (ISO) file delivered through typical recruitment channels and hosted on a trusted cloud infrastructure, aiming to fool recruiters into thinking the file is safe. However, when someone opens the file, it executes a malicious shortcut (LNK), triggering the next phase without raising immediate suspicion. The shortcut launches obfuscated PowerShell commands that extract hidden payloads embedded within a steganographic image, sideloading a malicious DLL using a legitimate signed application, according to the report. This allows the attacker's code to run under the guise of trusted software. Once the malware is executed, it does extensive validation prior to full execution to ensure it's avoiding controlled analysis environments, Sood wrote in the report. "The checks focus on identifying virtual machines, debuggers, sandbox environments, analysis tools, and low-resource or emulated systems." Treating Targets as Naughty, Not Nice Once it becomes clear that the environment is a legitimate system, the malicious code deploys its ultimate payload: the EDR killer BlackSanta, which loads legitimate but exploitable kernel drivers — the "OVD" of its BYOVD capabilities — to gain low-level system access.  Related:Attackers Abuse LiveChat to Phish Credit Card, Personal Data And once BlackSanta is active, it starts disabling security protections that systems rely on to detect malware, including terminating antivirus (AV) processes, shutting down EDR agents, weakening Microsoft Defender protections, suppressing system logging, and removing visibility from security consoles. "In effect, it clears the runway before exfiltration," according to the report. "As the BlackSanta malware uses signed drivers, detection becomes significantly more difficult." Once the tool clears the way, attackers gain a foothold in a system through what Sood called an operation that features "disciplined intrusion engineering." From there, they can exfiltrate sensitive data and send it back to the attackers' C2 without interference from security protections. "This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft," Sood wrote. HR Systems Need Better Security HR systems are an often overlooked part of security strategies, as recruitment pipelines are "often perceived as routine operations," Sood wrote in the report. However, they are rapidly becoming high-value attack surfaces and going forward should be regarded as such, he said. Related:The Data Gap: Why Nonprofit Cyber Incidents Go Underreported Indeed, the campaign illustrates how attackers are targeting operational business workflows — particularly HR pipelines — to bypass perimeter defenses and escalate privileges. Sood advised security teams to apply the same monitoring, attachment controls, and endpoint hardening to HR environments that are typically reserved for more high-valued systems. "Organizations should treat HR workflows with the same defensive rigor as finance and IT administrative functions," Sood tells Dark Reading. "Strengthening endpoint protections on HR systems, monitoring unusual activity, and increasing security awareness among recruiting teams can significantly reduce the likelihood that such attacks succeed." About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Red Hat Hackers Team Up With Scattered Lapsus$ Hunters by Rob Wright OCT 08, 2025 THREAT INTELLIGENCE 45 New Domains Linked to Salt Typhoon, UNC4841 by Elizabeth Montalbano, Contributing Writer SEP 08, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Chinese APTs Exploit EDR 'Visibility Gap' for Cyber Espionage by Becky Bracken, Senior Editor, Dark Reading APR 14, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE