Russian-speaking threat actors are targeting human resources (HR) workflows with a campaign that conceals malicious code within steganographic image files, specifically designed to bypass enterprise detection and response (EDR) systems.
The BlackSanta threat campaign has been operating for approximately a year. According to a report by Aryaka Threat Labs shared with Dark Reading, the campaign delivers software that disables security protections at a deep system level. This capability allows the threat actors to exfiltrate sensitive data from compromised systems while maintaining HTTPS communication with their command-and-control (C2) server.
Aditya K. Sood, vice president of security engineering and AI strategy at Aryaka, notes that this ongoing communication occurs "with little chance of detection." Detailing the final phase of the intrusion, Sood explains, "In easier terms, BlackSanta is a bring-your-own-vulnerable-device (BYOVD)-based EDR killer."
To achieve system access, the campaign targets standard HR workflows. Hiring teams frequently open résumés and attachments sent by job applicants, "which unintentionally creates an easy entry point for attackers," Sood says. "Because recruiters often work under time pressure and HR systems may not be as tightly secured as other parts of the organization, recruitment workflows can become an attractive target for cyber threats."
The BlackSanta multistep intrusion sequence
The intrusion sequence begins with a résumé-themed optimal disc image (ISO) file. Distributed through typical recruitment channels and hosted on trusted cloud infrastructure, the file is designed to appear safe to recruiters. When a user opens the file, it executes a malicious shortcut (LNK), advancing the operation without immediate visible indicators.
This shortcut launches obfuscated PowerShell commands that extract hidden code embedded within a steganographic image. According to the report, the process then sideloads a malicious DLL using a legitimate, signed application, allowing the unauthorized code to execute under the guise of trusted software.
Before full execution, the software conducts extensive validation to ensure it is not operating within a controlled analysis environment. Sood wrote in the report, "The checks focus on identifying virtual machines, debuggers, sandbox environments, analysis tools, and low-resource or emulated systems."
EDR evasion and system access
Once the software verifies it is running on a standard enterprise endpoint, it deploys the BlackSanta evasion tool. This component utilizes BYOVD capabilities by loading legitimate but exploitable kernel drivers, granting the threat actors low-level system access.
After BlackSanta activates, it systematically disables the protections organizations rely on to detect unauthorized activity. This includes terminating antivirus (AV) processes, shutting down EDR agents, weakening Microsoft Defender protections, suppressing system logging, and removing visibility from security consoles.
"In effect, it clears the runway before exfiltration," the report states. "As the BlackSanta malware uses signed drivers, detection becomes significantly more difficult."
With monitoring disabled, threat actors establish a foothold through what Sood describes as "disciplined intrusion engineering." From this position, they can identify sensitive data and transmit it back to their C2 infrastructure without interference from local security agents.
"This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft," Sood wrote.
Securing human resources workflows
Security strategies often overlook HR systems, treating recruitment pipelines as routine operations rather than high-value targets. However, the BlackSanta campaign demonstrates that threat actors increasingly view operational business workflows as viable paths to bypass perimeter defenses and escalate privileges.
To protect against this methodology, security teams must apply the same monitoring, attachment controls, and endpoint hardening to HR environments that are standard practice for IT and finance departments.
"Organizations should treat HR workflows with the same defensive rigor as finance and IT administrative functions," Sood says. "Strengthening endpoint protections on HR systems, monitoring unusual activity, and increasing security awareness among recruiting teams can significantly reduce the likelihood that such attacks succeed."