BlackSanta EDR killer malware activity targeting HR departments
Malware Activity
Summary
Hide ▲
Show ▼
The BlackSanta malware operation has run for more than a year, targeting HR departments and using an EDR killer to weaken host defenses before payload execution. The infection chain relies on resume-themed ISO files and suspected spear-phishing to pull victims into opening malicious content. BlackSanta then adds Microsoft Defender exclusions, suppresses alerts, and terminates security processes, making follow-on activity harder to detect. The activity matters because it creates a stealthier path for stealing information and deploying additional payloads.
Related Happenings
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware Activity
H score31
First: 09.07.2026 21:08
Last: 09.07.2026 21:08
Sources 1
About this happening:
The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware ActivityAbout this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
Veil#Drop PureLog Stealer in-memory delivery operation
Malware Activity
H score30
First: 01.07.2026 17:30
Last: 01.07.2026 17:30
Sources 1
About this happening:
**Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
Veil#Drop PureLog Stealer in-memory delivery operation
Malware ActivityAbout this happening: **Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion
Technical Analysis
H score74
First: 01.07.2026 08:32
Last: 01.07.2026 08:32
Sources 1
About this happening:
Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...
ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion
Technical AnalysisAbout this happening: Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...
Gentlemen ransomware EDR-killer tooling
Malware Activity
H score35
First: 19.06.2026 01:31
Last: 19.06.2026 01:31
Sources 1
About this happening:
**Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Gentlemen ransomware EDR-killer tooling
Malware ActivityAbout this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Microsoft Defender for Endpoint automatic endpoint isolation preview
Security Tool/Service
H score10
First: 26.05.2026 15:19
Last: 26.05.2026 15:19
Sources 1
About this happening:
Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...
Microsoft Defender for Endpoint automatic endpoint isolation preview
Security Tool/ServiceAbout this happening: Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...
Timeline
-
11.03.2026 00:57 2 articles · 4mo ago
BlackSanta campaign against HR departments disclosed
Initial DisclosureA year-long campaign targeted human resource (HR) departments with BlackSanta, an EDR killer delivered through resume-themed ISO files and suspected spear-phishing emails. The infection chain uses a disguised .LNK shortcut, PowerShell, steganography, DLL sideloading, and process hollowing, while BlackSanta adds Microsoft Defender exclusions, suppresses Windows notifications, and terminates security processes to weaken host defenses before additional payloads run.
Show sources
- New ‘BlackSanta’ EDR killer spotted targeting HR departments — www.bleepingcomputer.com — 11.03.2026 00:57
- BlackSanta EDR-Killer Targets HR Teams in CV-Themed Campaign — www.infosecurity-magazine.com — 11.03.2026 16:30