BlackSanta EDR-Killer

A Silent Threat Targeting Recruitment Workflows

Aryaka Threat Labs has uncovered a sophisticated malware campaign targeting HR and recruitment professionals. The attackers distribute emails containing links to files disguised as legitimate resumes. When opened, these files trigger a multi-stage infection chain that silently compromises the victim’s system.

The malware performs system reconnaissance and conducts environment checks to detect sandboxes, virtual machines, and debugging tools to evade analysis. A key component, BlackSanta, acts as an EDR-killer, disabling security solutions to ensure malicious payloads run undetected.

Once established, the malware communicates with command-and-control servers over encrypted HTTPS to exfiltrate sensitive data, demonstrating a persistent and highly sophisticated cyber threat.

Key Insights You’ll Gain from This Report

• Inside the Attack Campaign Learn how threat actors use resume-themed phishing emails to target HR and recruitment teams.
• Step-by-Step Infection Chain Understand how the malware progresses from initial download to full system compromise.
• Evasion and Anti-Analysis Techniques See how the malware detects sandboxes, virtual machines, and debugging tools to avoid security monitoring.
• BlackSanta EDR Killer Discover how the attackers disable antivirus and EDR protections to run malicious payloads undetected.
• Command-and-Control Operations Explore how attackers maintain encrypted communication with compromised systems.
• Data Theft and Persistence Understand how sensitive data is collected, exfiltrated, and how attackers maintain long-term access.