The campaign combines social engineering with evasion techniques. Victim is presented with normal resume files hosted on cloud storage services that are considered trustworthy. Files are actually part of a multi-stage infection chain.
Once active, BlackSanta can terminate antivirus and EDR processes, making alerts silent, and steal data under HTTPS encryption. The malware is essentially disabling security tools while stealing data undetected.
Resume Phishing and Infection Chain
The attack begins with a traditional spear phishing attack where a recruiter is sent an email that contains a link to an ISO file that is presented as a resume of a candidate. The ISO file is presented as a normal drive that contains a PDF file, a PowerShell script, an image file, and an icon file. PDF file is a hidden Windows shortcut file. The Windows shortcut file is executed, which runs a PowerShell script named ‘script.ps1’ that extracts hidden code contained within an image file through a process of steganography.
The extracted code is executed in memory, where a ZIP archive named ‘SumatraPDF.zip’ is downloaded from domains controlled by the attackers (e.g., resumebuilders[.]us or thresumebuilder[.]com). The ZIP archive contains a legitimate ‘SumatraPDF.exe’ file and a ‘DWrite.dll’ file that is modified by the attackers. The legitimate PDF reader is executed, which loads the malware through a process of side-loading legitimate applications.
This process is described as “blending social engineering, living-off-the-land techniques, [and] steganographic payload delivery.”
Advanced Evasion and Process Hollowing
Once the first DLL is loaded, the malware performs extensive environment checks, essentially fingerprinting the environment for analysis or virtualization. If it detects a VM, debugger, or Russian/CIS locale, it will terminate. It will even modify the Windows Defender to lower the defenses. This includes disabling cloud scanning and auto-submission to avoid detection.
With the defenses lowered, the malware downloads more dangerous code from the C2. This is done via a technique known as process hollowing. This is a form of fileless malware infection. Once the malware is injected as BlackSanta, it will check the running processes for security software on a hardcoded list.
When found, it will terminate the software from the kernel level. BYOVD is used to load a driver that is exploitable to unlock the protected processes. In essence, the malware is preparing the environment for the attack. This is done by fingerprinting the environment, disabling defenses, and then running the hidden code.
Kernel-Level Assault: BlackSanta Disables Security
The most alarming component is the BlackSanta EDR-killer module itself. Once active, BlackSanta methodically dismantles security on the host. It does this by loading legitimate but vulnerable kernel-mode drivers (for example, the RogueKiller AntiRootkit driver v3.1.0 and IObitUnlocker.sys v1.2.0.1). These drivers give the malware low-level access to memory and processes. With this power, BlackSanta performs actions such as:
- Terminating AV/EDR: Terminates AV, EDR, SIEM, and monitoring software by their names, retrieved from a list.
- Disabling Defender: Adds exemptions for certain file types, like .sys and .dll, and alters registry keys to reduce the strength of Microsoft Defender, disabling sample submission and alerts.
- Suppressing Alerts: Silences Windows alerts and logs, preventing warning dialogs.
- Clearing Visibility: “Clears the runway before exfiltration” by disabling telemetry and logging, making detection difficult.
This kernel-level neutralization can be thought of as a bypass for EDR. Instead of detecting the attackers, the EDR solutions are removed. Working at the kernel level, BlackSanta suppresses antivirus and EDR mechanisms, allowing threat actors to perform credential harvesting, reconnaissance, and data exfiltration with minimal resistance.
HR Under Attack: Sensitive Data & Prevention
HR is a primary target since employees frequently receive and open unknown attachments such as CVs and resumes. The data in the HR system is also sensitive since it contains personal information such as name, address, and social security numbers.
HR system is valuable to attackers since a study revealed that 82% of 1,297 breaches involved data from the HR system and 58% involved recruitment data. Job application schemes are becoming more common since attackers use malicious CV attachments since they know that the HR department will need to review these CVs from external candidates. The attackers can also use these attacks for stealing direct deposits and payroll data from the company by phishing the HR department.
The HR department should be treated like any other important part of the company. The same level of protection should be given to the HR department as that given to the finance and IT departments.
The company should use attachment scanning and endpoint hardening for the HR department. The company should also raise awareness in the HR department and the recruitment process to reduce the chances of a successful attack. The company should also use web forms instead of emails for the recruitment process.
Case Study: Xcitium vs. BlackSanta
This demonstration recreates the delivery technique used in the BlackSanta EDR-killer campaign that targets HR departments through malicious resume attachments.
In this scenario, a seemingly harmless ISO file is opened containing multiple files designed to appear legitimate. One of these files is used to trigger a PowerShell-based execution chain that launches hidden commands responsible for staging the next phase of the attack.
The script activity mimics the real attack flow used by the BlackSanta campaign, where PowerShell is leveraged to download and execute components intended to disable endpoint defenses and prepare the system for further compromise.
Instead of relying on signatures or delayed detection, Xcitium’s ZeroDwell technology immediately classifies the activity as untrusted and runs it inside a secure isolation environment.
As a result, the attack chain cannot progress. Security processes are not terminated, no persistence mechanisms affect the host, and no malicious payload gains access to the system.
This video demonstrates how Xcitium prevents modern EDR-killer style attacks in real time by enforcing continuous zero-trust execution and automatic isolation.
Indicators of Compromise (IOCs)
- Malicious Domains: The campaign hosted payloads on fake resume-builder sites. Known domains include resumebuilders[.]us and thresumebuilder[.]com.
- Downloaded Files: The initial payload often downloads SumatraPDF.zip, which contains
SumatraPDF.exeand a maliciousDWrite.dll456873e94fbc16cf4499d3da6735c0ed64797f30 (both components of the infection chain). - Drivers Loaded: BlackSanta uses signed drivers to gain control. Indicators include files like
truesight.sys8a0e18612a181105f756ad40dff3f98b5d712604 (RogueKiller AntiRootkit v3.1.0) and IObitUnlocker.sys v1.2.0.1. - Process Names: The malware terminates processes with specific names. While a full list is long, it’s been noted many common AV/EDR executables being targeted.
Conclusion: When HR Becomes the Entry Point, Security Goes Quiet
BlackSanta is built for one purpose, get past human trust, then shut down the defenses that would normally stop the intrusion. A recruiter receives a “resume” ISO hosted on trusted cloud infrastructure. A hidden shortcut launches PowerShell, steganography extracts code from an image, then a trojanized PDF reader side-loads a malicious DLL. Within minutes, the campaign escalates into kernel-level defense disabling and silent data theft.
Why This Threat Hits HR First
HR teams are conditioned to open unknown files, and the data they handle is high value.
- Recruitment workflows require frequent interaction with external attachments and links
- HR systems store sensitive identity and payroll-related information
Why Traditional Defenses Struggle
BlackSanta does not try to hide forever. It tries to remove visibility first.
- Sandbox and VM checks stop execution in analysis environments
- Defender settings are weakened before heavier payloads arrive
- BYOVD drivers are abused to terminate AV and EDR from kernel space
Where Xcitium Changes the Outcome
If you have Xcitium, this attack would NOT succeed.
- Xcitium Cyber Awareness Education and Phishing Simulation reduces the initial success rate by training HR teams to spot resume-lure patterns, ISO delivery, and cloud-hosted “candidate files” that do not belong in email workflows.
- Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, stops the execution chain at runtime. The malicious DLL and follow-on stages can attempt to run, but code can run without being able to cause damage. Defense-disabling actions fail, persistence does not stick, and data theft never becomes operational.
Protect HR Like a High-Value Security Team
Recruiting workflows are now a primary attack surface. Tighten intake channels, remove risky attachment handling, and enforce execution-time controls so “resume” malware never becomes a silent compromise.
