144/69 Thursday, March 12, 2026
Researchers from Aryaka have identified a cyberattack campaign targeting Human Resources (HR) departments across multiple organizations for more than a year. The attacks are delivered through spear-phishing emails that include malicious ISO files disguised as resumes, often pretending to originate from cloud services such as Dropbox. When the file is opened, the malware is executed via a .LNK shortcut that launches PowerShell to retrieve malicious code hidden inside image files using steganography, loading the payload directly into memory.
The malware then performs DLL sideloading using legitimate applications such as SumatraPDF. It conducts detailed system environment checks and will immediately terminate execution if it detects sandbox environments, virtual machines, or debugging tools. The malware also modifies Microsoft Defender settings to weaken protections before downloading additional payloads from a command-and-control (C2) server. These payloads are executed using process hollowing within legitimate system processes, allowing the malware to operate stealthily and evade detection.
A key component of the campaign is the BlackSanta EDR Killer module, which is specifically designed to disable security monitoring and terminate defensive tools such as antivirus (AV), endpoint detection and response (EDR), and security information and event management (SIEM) systems. The attackers employ a Bring Your Own Driver (BYOD) technique using vulnerable drivers such as truesight.sys and IObitUnlocker.sys to terminate security processes at the kernel level. This capability allows the attackers to operate covertly for extended periods while bypassing traditional detection mechanisms.