Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New
Aryaka published their full threat report on the BlackSanta campaign on 10 March 2026, detailing a sophisticated multi-stage attack chain that has been operating against HR and recruitment teams for over a year. The campaign is notable for deploying EDR-killing capability at the start of the infection chain rather than post-exploitation – a deliberate architectural choice that inverts the assumptions most defenders rely on.
Changelog
| Date | Summary |
|---|---|
| 11 Mar 2026 | Initial publication. |
Your HR team opens CVs all day. That’s the job. An attacker with a fake resume, an ISO attachment, and a vulnerable kernel driver can use that exact workflow to disable your endpoint security and exfiltrate data before your EDR raises a single alert. That’s not hypothetical. It’s been running for over a year.
The Campaign
Aryaka Threat Labs documented the operation in a threat report published this week. The attacker is Russian-speaking, operationally cautious, and has been running this campaign since at least early 2025. The targets are HR professionals and recruiters – specifically the people whose job is to open unsolicited files from strangers.
The lure is a fake job application, hosted on a legitimate cloud storage service like Dropbox to avoid URL reputation filters. The file appears to be a resume. The recruiter downloads it, double-clicks it, and an ISO mounts as a virtual drive. From that point, the attacker is in.
Aryaka identified multiple IP addresses linked to the same infrastructure, which is how they established the campaign’s longevity. The C2 server was offline when researchers examined the final payload, so the exact end-stage objective remains unconfirmed. What they did recover was the full infection chain – and the BlackSanta module that makes it dangerous.
The Attack Chain
The ISO contains four files: a Windows shortcut disguised as a PDF, a PowerShell script, an image file, and an ICO file. The shortcut launches PowerShell, which executes the script. That script extracts a payload hidden inside the image using steganography, loads it directly into memory, and then downloads a ZIP archive from the C2 containing a legitimate SumatraPDF binary and a malicious DLL named DWrite.dll.
The DWrite.dll file is the sideloaded payload. Windows DLL loading checks the application directory before System32, so a malicious DWrite.dll placed alongside a legitimate binary will load in place of the real one. The real DWrite.dll – the DirectWrite font rendering library – lives in System32 and has nothing to do with PDF viewers. The malicious version does.
Before executing further, the malware fingerprints the system and sends the results to the C2. It then runs environment checks: looking for sandbox artifacts, virtual machine indicators, and debugging tools. If it finds any, it stops. This is not a spray-and-pray campaign; it’s designed to run only on real endpoints.
Assuming it passes those checks, the malware weakens Windows Defender settings, modifies registry values to reduce telemetry, and begins pulling additional payloads from the C2. Those payloads execute via process hollowing – injected into legitimate running processes to avoid detection. Then BlackSanta runs.
Why HR Specifically
HR teams face a structural problem that no amount of security awareness training solves. The job requires opening unsolicited attachments from strangers at high volume. A recruiter processing fifty applications in a day is not being careless when they open a CV; they’re doing their job. The attack surface isn’t a behaviour that can be trained away. It’s the workflow itself.
The file format diversity makes it worse. HR professionals expect .docx, .pdf, .zip, and increasingly ISO files (some software and portfolio tools distribute as disc images). A filter policy that blocks unexpected attachment types would generate noise and friction that the business will push back on. Attackers know this.
The data on HR endpoints makes them a high-value target. HR systems – Workday, BambooHR, and similar platforms – hold employee PII, salary data, offer letters, onboarding credentials, and org chart access. A compromised HR endpoint is a directory of the organisation. It’s a starting point for targeted follow-on attacks: social engineering executives, impersonating HR in payroll fraud, or mapping an organisation before a ransomware deployment.
Security teams typically apply the most scrutiny to developer endpoints, because developers have production access and write code that ships. HR endpoints are often treated as standard office machines. That’s the wrong threat model. The highest-volume unsolicited file opener in the organisation deserves at least as much endpoint hardening as a developer who commits to main.
This campaign isn’t isolated. The pattern of using recruitment workflows as an entry vector is documented across multiple threat actors. See also: the Cline rejection attack pattern and the broader enterprise threat landscape shift toward targeting identity and workflow rather than infrastructure directly.
BYOVD: Why This Technique Matters
BlackSanta’s core function is straightforward: enumerate running processes, compare them against a hardcoded list of AV, EDR, SIEM, and forensic tools, retrieve the process IDs for any matches, and terminate those processes at kernel level using loaded drivers.
The drivers used are legitimate but vulnerable. The campaign drops RogueKiller Antirootkit driver (truesight.sys) v3.1.0 from Adlice Software and IObitUnlocker.sys v1.2.0.1 from IObit. Both are signed drivers from legitimate security vendors. Both contain exploitable vulnerabilities. RogueKiller’s driver allows manipulation of kernel hooks and memory monitoring; IObitUnlocker.sys allows bypassing file and process locks. Together, they give the malware ring 0 execution – kernel level, below any user-space security tool.
This is Bring Your Own Vulnerable Driver (BYOVD). The attacker doesn’t need to write a kernel exploit from scratch. They drop a signed, legitimate driver that Windows will load without complaint, exploit a known vulnerability in that driver to gain kernel execution, and then operate in a space where EDR cannot reach them.
BYOVD is not new. Lazarus Group, BlackMatter, AvosLocker, and DragonForce ransomware have all used it. What makes BlackSanta’s deployment notable is where in the chain it runs. Most BYOVD usage is post-exploitation – the attacker already has a foothold and uses the technique to expand access or disable defenses before deploying ransomware. BlackSanta deploys EDR-killing capability early, before the main payload even arrives. The premise is: if the EDR is down before anything suspicious happens, the rest of the chain runs clean.
Most security teams assume their EDR is running. That’s a reasonable assumption when the EDR is healthy. BlackSanta is a direct bet that this assumption is wrong – and it’s right, because the EDR was terminated before the assumption was tested.
Adding further evasion: the initial payload is concealed inside an image file using steganography. The image looks like a valid image to static analysis. The payload is extracted in memory and never written to disk in plaintext. Combined with the anti-VM checks, this campaign is designed to pass automated tooling at every stage of analysis before execution. Signature scanners see a clean image. Sandboxes see a process that exits cleanly. The EDR sees nothing, because it’s already dead.
What To Do
These are ordered by impact and implementation friction.
1. Block ISO, IMG, and VHD attachments at the mail gateway. No legitimate job application comes as a disc image. This is a zero-ambiguity rule. The MOTW bypass that makes ISO files attractive to attackers – Windows doesn’t mark files extracted from a mounted ISO as untrusted – disappears if the ISO never arrives. Most mail filtering solutions support this policy; most organisations haven’t applied it.
2. Apply BYOVD mitigations. Microsoft maintains a vulnerable driver blocklist that covers both truesight.sys and IObitUnlocker.sys. Enable Windows Defender Application Control (WDAC) with policy rules that prevent loading kernel drivers not on an approved list. This is the primary mitigation against BlackSanta’s mechanism; without the ability to load vulnerable drivers, the kernel-level EDR termination fails.
3. Segment HR endpoints. HR machines shouldn’t have unrestricted outbound connectivity. Egress rules that allow only known-good destinations significantly limit C2 communication. AppLocker or WDAC policies that prevent DLL sideloading from non-system paths remove the DWrite.dll vector entirely. Lateral movement becomes harder if HR endpoints are network-isolated from systems they don’t need to reach.
4. Hunt for DWrite.dll in non-system paths. The legitimate DirectWrite library lives at C:\Windows\System32\DWrite.dll. Any process loading DWrite.dll from an application directory, a user’s Downloads folder, or a temp path is anomalous. This is a low-noise detection rule that can be added to a SIEM today. Combined with a review of SumatraPDF process trees, it makes this specific infection chain visible.
5. Deploy canary documents on HR endpoints. A fake credentials file or HR system login doc placed on the desktop with a name like “Payroll Q1 2026.xlsx” generates no noise when it sits untouched. If it’s accessed by an unexpected process, that’s an alert worth acting on. This doesn’t stop the intrusion, but it catches post-compromise activity that EDR would have caught if it were still running.
6. Enable Credential Guard and Kernel DMA Protection. Both are Windows features that limit the blast radius of kernel-level compromise. Credential Guard isolates LSASS secrets from kernel-accessible memory. Kernel DMA Protection prevents driver-based DMA attacks. Neither stops BYOVD directly, but both reduce what an attacker can do once they have kernel access.
The Actual Problem
HR is not a weak link because the people are careless. Recruiters who open job applications are not making a mistake; they’re doing exactly what the role requires. The weakness is structural: the function that involves the highest volume of unsolicited file interaction in the organisation has historically been treated as low-risk from an endpoint security perspective.
That was always the wrong model. This campaign makes it explicit.
The fix is not better training. The fix is treating HR endpoints as a high-risk endpoint category with commensurate controls: network segmentation, strict egress filtering, DLL sideloading restrictions, ISO attachment blocking, and active hunting for BYOVD indicators. The same scrutiny applied to developer machines because developers can push to production – applied to HR machines because HR can be used to map, compromise, and exfiltrate the entire organisation.
Aditya K Sood at Aryaka put it plainly: “Organizations should treat HR workflows with the same defensive rigor as finance and IT administrative functions.”
That’s the policy change. Everything else is implementation detail.