Find notable cyber news and cases, enriched with sources, timelines, and signals.

BlackSanta EDR killer malware activity targeting HR departments

Malware Activity
First reported
Last updated
Happening score
H score 20
2 unique sources, 2 articles

Summary

Hide ▲

The BlackSanta malware operation has run for more than a year, targeting HR departments and using an EDR killer to weaken host defenses before payload execution. The infection chain relies on resume-themed ISO files and suspected spear-phishing to pull victims into opening malicious content. BlackSanta then adds Microsoft Defender exclusions, suppresses alerts, and terminates security processes, making follow-on activity harder to detect. The activity matters because it creates a stealthier path for stealing information and deploying additional payloads.

Related Happenings

GigaWiper / BLUERABBIT destructive Windows backdoor activity

Malware Activity
H score31 First: 09.07.2026 21:08 Last: 09.07.2026 21:08 Sources 1

About this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...

Veil#Drop PureLog Stealer in-memory delivery operation

Malware Activity
H score30 First: 01.07.2026 17:30 Last: 01.07.2026 17:30 Sources 1

About this happening: **Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...

ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion

Technical Analysis
H score74 First: 01.07.2026 08:32 Last: 01.07.2026 08:32 Sources 1

About this happening: Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...

Gentlemen ransomware EDR-killer tooling

Malware Activity
H score35 First: 19.06.2026 01:31 Last: 19.06.2026 01:31 Sources 1

About this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...

Microsoft Defender for Endpoint automatic endpoint isolation preview

Security Tool/Service
H score10 First: 26.05.2026 15:19 Last: 26.05.2026 15:19 Sources 1

About this happening: Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...

Timeline

  1. 11.03.2026 00:57 2 articles · 4mo ago

    BlackSanta campaign against HR departments disclosed

    Initial Disclosure

    A year-long campaign targeted human resource (HR) departments with BlackSanta, an EDR killer delivered through resume-themed ISO files and suspected spear-phishing emails. The infection chain uses a disguised .LNK shortcut, PowerShell, steganography, DLL sideloading, and process hollowing, while BlackSanta adds Microsoft Defender exclusions, suppresses Windows notifications, and terminates security processes to weaken host defenses before additional payloads run.

    Show sources