For greater than a yr, a Russian-speaking menace actor focused human useful resource (HR) departments with malware that delivers a brand new EDR killer named BlackSanta.
Described as “subtle,” the marketing campaign mixes social engineering with superior evasion methods to steal delicate data from compromised programs.
It’s unclear how the assault begins, however researchers at Aryaka, a community and safety options supplier, suspect that the malware is distributed through spear-phishing emails.
They imagine that targets are directed to obtain ISO picture recordsdata that seem as resumes and are hosted on cloud storage companies, corresponding to Dropbox.
One malicious ISO analyzed contained 4 recordsdata: a Home windows shortcut (.LNK) disguised as a PDF file, a PowerShell script, a picture, and a .ICO file.
Supply: Aryaka
The shortcut launches PowerShell and executes the script, which extracts knowledge hidden within the picture file utilizing steganography and executes it in system reminiscence.
The code additionally downloads a ZIP archive containing a authentic SumatraPDF executable and a malicious DLL (DWrite.dll) to load utilizing the DLL sideloading approach.
Supply: Aryaka
The malware performs system fingerprinting and sends the knowledge to the command-and-control (C2) server, after which performs intensive surroundings checks to cease execution if sandboxes, digital machines, or debugging instruments are detected.
It additionally modifies Home windows Defender settings to weaken safety on the host, performs disk-write exams, after which downloads further payloads from the C2, that are executed through course of hollowing, inside authentic processes.
BlackSanta EDR killer
A key element delivered within the marketing campaign is an executable recognized because the BlackSanta EDR killer, a module that silences endpoint safety options earlier than deploying malicious payloads.
BlackSanta provides Microsoft Defender exclusions for ‘.dls’ and ‘.sys’ recordsdata, and modifies a Registry worth to cut back telemetry and computerized pattern submission to Microsoft safety cloud endpoints.
The researchers’ report (PDF) notes that BlackSanta may suppress Home windows notifications to attenuate or utterly silence consumer alerts. The core operate of BlackSanta is to terminate safety processes, which it does by:
- enumerating working processes
- evaluating the names towards a big hardcoded record of antivirus, EDR, SIEM, and forensic instruments
- retrieving the matching course of IDs
- utilizing the loaded drivers to unlock and terminate these processes on the kernel degree
Supply: Aryaka
Aryaka didn’t share particulars concerning the goal organizations or the menace actors behind the marketing campaign, and couldn’t retrieve the ultimate payload used within the noticed case, because the C2 server was unavailable on the time of their examination.
The researchers have been in a position to establish further infrastructure utilized by the identical menace actor and found a number of IP addresses associated to the identical marketing campaign. That is how they discovered that the operation had been working unnoticed for the previous yr.
Wanting on the IP addresses, the researchers uncovered that the malware additionally downloaded Carry Your Personal Driver (BYOD) parts that included the RogueKiller Antirootkit driver v3.1.0 from Adlice Software program, and IObitUnlocker.sys v1.2.0.1 from IObit.
These drivers have been utilized in malware operations (1, 2) to achieve elevated privileges on the compromised machine and suppress safety instruments.
RogueKiller (truesight.sys) permits manipulation of kernel hooks and reminiscence monitoring, whereas IObitUnlocker.sys permits bypassing file and course of locks. This mixture offers the malware with low-level entry to system reminiscence and processes.
Aryaka researchers say the menace actor behind the marketing campaign exhibits sturdy operational safety and makes use of context-aware, stealthy an infection chains to deploy parts corresponding to BlackSanta EDR.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your safety stack is blinded.
