BlackSanta: kernel‑level EDR killers that exploit HR recruitment workflows
BlackSanta is a focused, kernel‑level intrusion campaign that has quietly targeted HR teams for more than a year, using resume‑themed ISO files and signed but vulnerable drivers to disable endpoint defenses and siphon sensitive data without triggering normal alerts.
What makes BlackSanta different
This is not opportunistic commodity malware. BlackSanta combines spear‑phishing aimed at recruitment channels with a disciplined, multi‑stage engineering effort: social engineering to reach HR inboxes, living‑off‑the‑land execution, steganographic payloads, and kernel exploitation via Bring‑Your‑Own‑Vulnerable‑Driver (BYOVD) techniques. The campaign’s design prioritizes stealth inside the enterprise rather than broad infection counts.
Attackers deliberately target HR because recruitment workflows mix urgent deadlines, frequent contact with unknown external parties, and often weaker attachment policies or endpoint hardening than finance or IT. Those operational traits provide repeatable opportunities to mount local drive‑style attachments (mounted ISOs) that look legitimate to busy HR staff.
How the infection chain and EDR killing work
Delivery begins with resume‑themed ISO files sent by spear‑phishing or hosted on cloud services such as Dropbox. When a recipient mounts the ISO it appears as a local drive; malicious shortcuts launch obfuscated PowerShell that extracts hidden payloads embedded via steganography. A sideloaded DLL—loaded through a signed, legitimate executable—gives the attackers user‑mode foothold.
From there BlackSanta uses BYOVD to load signed but exploitable kernel drivers (examples observed include drivers associated with RogueKiller Antirootkit and IObitUnlocker). Those drivers grant low‑level access to memory and process structures, enabling the EDR‑killer module to terminate AV/EDR processes, weaken Microsoft Defender configuration, suppress telemetry, and silence user alerts. The malware avoids analysis by aborting on virtual machines, sandboxes, debugging tools and on systems localized to Russia/CIS.
| Stage | Mechanism | Notable detection signals | Why detection is hard |
|---|---|---|---|
| Delivery | Resume ISO on cloud link; mounted as local drive; shortcut→PowerShell | Unusual ISO mounts; .lnk launching PowerShell; cloud‑hosted resume links | Looks like normal HR attachments; user‑initiated mounting masks automated filters |
| Unpack/Execution | Obfuscated PowerShell, steganographic payload extraction, DLL sideload | Script obfuscation, anomalous DLL load chain | Living‑off‑the‑land tools and signed binaries reduce static indicators |
| Kernel access / EDR kill | BYOVD loads signed vulnerable drivers to manipulate kernel | Unsigned/oddly signed driver installs, driver syscall hooks, Defender setting changes | Signed drivers appear legitimate; kernel actions evade user‑mode telemetry |
| Data exfiltration | Memory‑resident payloads, process hollowing, encrypted HTTPS C2 | Process hollowing artifacts, unusual outbound TLS sessions to low‑profile domains | Minimal disk artifacts and suppressed telemetry reduce forensic traces |
Operational context, parallels, and attacker trade‑offs
BlackSanta’s operational discipline—environment checks, geographic filtering, and a focus on low noise—reduces the chance of discovery but raises the bar for the attackers: they must maintain signed exploit chains and craft convincing HR lures. That investment explains the campaign’s longevity and targeted scope.
Similar HR‑focused campaigns exist (for example, TA4557’s More_eggs backdoor uses server polymorphism and CAPTCHA‑protected delivery), which shows attackers favor recruitment pipelines as high‑value, high‑success vectors. Compared with broad commodity threats, BlackSanta trades scale for persistence and stealth inside specific business functions.
Practical defenses and the next checkpoints
Defenders should treat HR systems and recruitment pipelines like any other high‑risk business function: restrict mounting of foreign ISOs, block suspicious signed driver installations, enforce strict attachment handling and multi‑factor verification for external contacts, and apply network segmentation between HR endpoints and sensitive directories. Focus detections on driver load events, unexpected Defender configuration changes, process hollowing signatures, and outbound TLS to low‑reputation domains.
The next key variables to monitor are (1) detection techniques for BYOVD‑based EDR killers—tools that can flag unusual signed driver behavior or kernel hooks—and (2) expansion of attack surfaces as organizations adopt cloud recruitment tooling and third‑party ATS integrations. Those two trends will materially change where and how BlackSanta‑style attacks succeed.
Q: What’s the single most important thing to monitor now?
Watch for anomalous signed driver loads and sudden changes to endpoint protection settings combined with resume‑style attachments or ISO mounts in HR workflows; that pattern is a practical early indicator of BYOVD‑style EDR disabling attempts.
