Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

BlackSanta EDR killer malware activity targeting HR departments

Malware Activity
First reported
Last updated
Happening score
H score 14
2 unique sources, 2 articles

Summary

Hide ▲

The BlackSanta malware operation has run for more than a year, targeting HR departments and using an EDR killer to weaken host defenses before payload execution. The infection chain relies on resume-themed ISO files and suspected spear-phishing to pull victims into opening malicious content. BlackSanta then adds Microsoft Defender exclusions, suppresses alerts, and terminates security processes, making follow-on activity harder to detect. The activity matters because it creates a stealthier path for stealing information and deploying additional payloads.

Related Happenings

Microsoft Defender for Endpoint automatic endpoint isolation preview

Security Tool/Service
First: 26.05.2026 15:19 Last: 26.05.2026 15:19 Sources 1

About this happening: Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...

Open Happening

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

Open Happening

GopherWhisper Go-based malware toolkit with Slack, Discord, and Outlook C2

Malware Activity
First: 23.04.2026 15:06 Last: 23.04.2026 15:06 Sources 1

About this happening: The **GopherWhisper** malware set now combines **Go-based backdoors** and **exfiltration tools** that abuse **Slack**, **Discord**, **Microsoft 365 Outlook**, and **Microsoft Grap...

Open Happening

CrowdStrike Falcon Next-Gen SIEM adds Microsoft Defender for Endpoint telemetry integration

Security Tool/Service
First: 03.04.2026 14:53 Last: 03.04.2026 14:53 Sources 1

About this happening: **CrowdStrike Falcon Next-Gen SIEM** now ingests **Microsoft Defender for Endpoint** telemetry, making Defender the first EDR integrated into the platform and broadening support f...

Open Happening

EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers

Technical Analysis
First: 19.03.2026 20:52 Last: 19.03.2026 20:52 Sources 1

About this happening: **54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...

Open Happening

Timeline

  1. 11.03.2026 00:57 2 articles · 2mo ago

    BlackSanta campaign against HR departments disclosed

    Initial Disclosure

    A year-long campaign targeted human resource (HR) departments with BlackSanta, an EDR killer delivered through resume-themed ISO files and suspected spear-phishing emails. The infection chain uses a disguised .LNK shortcut, PowerShell, steganography, DLL sideloading, and process hollowing, while BlackSanta adds Microsoft Defender exclusions, suppresses Windows notifications, and terminates security processes to weaken host defenses before additional payloads run.

    Show sources
    Open in new tab