BlackSanta: EDR Killer Campaign Targets HR Departments

March 11, 2026 Faeem BLOGS 0

For over a year, a Russian‑speaking threat actor has quietly targeted human resource (HR) departments with a sophisticated malware campaign delivering a new EDR killer module dubbed BlackSanta. The operation blends spear‑phishing, advanced evasion, and stealthy infection chains to disable endpoint defenses and steal sensitive data.

Infection Chain

  • Initial lure:
    • Malicious ISO files disguised as resumes, hosted on cloud storage platforms like Dropbox.
    • ISO contents include a Windows shortcut (.LNK) masquerading as a PDF, a PowerShell script, an image, and an .ICO file.
  • Execution:
    • The shortcut launches PowerShell, which extracts hidden code from the image using steganography.
    • Downloads a ZIP archive containing a legitimate SumatraPDF executable and a malicious DLL (DWrite.dll) for DLL sideloading.
  • Evasion techniques:
    • Fingerprints the system and halts execution if sandboxes, VMs, or debugging tools are detected.
    • Modifies Windows Defender settings to weaken host security.
    • Uses process hollowing to inject payloads into legitimate processes.

BlackSanta EDR Killer

The centerpiece of the campaign is BlackSanta, designed to silence endpoint security solutions before deploying additional malware:

  • Adds Microsoft Defender exclusions for .dls and .sys files.
  • Alters Registry values to reduce telemetry and sample submission.
  • Suppresses Windows notifications to avoid alerting users.
  • Terminates security processes by:
    • Enumerating running processes.
    • Matching against a hardcoded list of AV, EDR, SIEM, and forensic tools.
    • Unlocking and killing processes at the kernel level using loaded drivers.

Additional Observations

  • Attackers leveraged Bring Your Own Driver (BYOD) techniques, using:
    • RogueKiller Antirootkit driver to manipulate kernel hooks.
    • IObitUnlocker.sys to bypass file and process locks.
  • These drivers provided low‑level access to memory and processes, enabling suppression of security tools.
  • Infrastructure analysis revealed multiple IP addresses tied to the same campaign, confirming it has been active for over a year.

Defensive Recommendations

  • Email security: Harden defenses against spear‑phishing, especially in HR workflows.
  • File handling: Block ISO attachments or enforce sandbox analysis before execution.
  • EDR resilience: Deploy solutions with kernel‑level self‑protection against process termination.
  • Driver control: Restrict BYOD loading and monitor for unauthorized driver activity.
  • Threat hunting: Look for anomalies in PowerShell execution, steganography use, and DLL sideloading.

Final Thought

The BlackSanta campaign underscores how attackers are weaponizing HR workflows with stealthy malware designed to neutralize endpoint defenses. For defenders, the lesson is clear: EDR resilience, driver control, and proactive monitoring of HR‑centric attack vectors are critical to stopping advanced campaigns before they escalate.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.