BlackSanta EDR Killer Targets HR Departments with Stealthy Malware Campaign

Timeline

1. 11.03.2026 00:57 1 articles · 12h ago

   BlackSanta EDR Killer Identified in Year-Long Campaign Targeting HR Departments

   A Russian-speaking threat actor has been targeting HR departments with a sophisticated malware campaign that delivers a new EDR killer named BlackSanta. The campaign employs social engineering and advanced evasion techniques to steal sensitive information from compromised systems. The malware is suspected to be distributed via spear-phishing emails containing ISO image files disguised as resumes, hosted on cloud storage services like Dropbox. The attack chain involves steganography, DLL sideloading, and process hollowing to execute malicious payloads while evading detection. BlackSanta specifically targets and disables endpoint security solutions, including antivirus, EDR, SIEM, and forensic tools, by terminating their processes at the kernel level. The campaign has been active for over a year, utilizing Bring Your Own Driver (BYOD) components to gain elevated privileges and suppress security tools.

   Show sources

   • New ‘BlackSanta’ EDR killer spotted targeting HR departments — www.bleepingcomputer.com — 11.03.2026 00:57

   Open in new tab

Information Snippets

• The malware campaign targets HR departments with a new EDR killer named BlackSanta.

  First reported: 11.03.2026 00:57
  1 source, 1 article
  Show sources

  • New ‘BlackSanta’ EDR killer spotted targeting HR departments — www.bleepingcomputer.com — 11.03.2026 00:57

• The attack begins with spear-phishing emails containing ISO image files disguised as resumes.

  First reported: 11.03.2026 00:57
  1 source, 1 article
  Show sources

  • New ‘BlackSanta’ EDR killer spotted targeting HR departments — www.bleepingcomputer.com — 11.03.2026 00:57

• The ISO files contain a Windows shortcut, PowerShell script, image, and .ICO file.

  First reported: 11.03.2026 00:57
  1 source, 1 article
  Show sources

  • New ‘BlackSanta’ EDR killer spotted targeting HR departments — www.bleepingcomputer.com — 11.03.2026 00:57

• The PowerShell script extracts hidden data from the image using steganography and executes it in system memory.

  First reported: 11.03.2026 00:57
  1 source, 1 article
  Show sources

  • New ‘BlackSanta’ EDR killer spotted targeting HR departments — www.bleepingcomputer.com — 11.03.2026 00:57

• The malware downloads a ZIP archive containing a legitimate SumatraPDF executable and a malicious DLL.

  First reported: 11.03.2026 00:57
  1 source, 1 article
  Show sources

  • New ‘BlackSanta’ EDR killer spotted targeting HR departments — www.bleepingcomputer.com — 11.03.2026 00:57

• The malware performs system fingerprinting and environment checks to evade sandboxes and debugging tools.

  First reported: 11.03.2026 00:57
  1 source, 1 article
  Show sources

  • New ‘BlackSanta’ EDR killer spotted targeting HR departments — www.bleepingcomputer.com — 11.03.2026 00:57

• BlackSanta modifies Windows Defender settings and adds exclusions for '.dls' and '.sys' files.

  First reported: 11.03.2026 00:57
  1 source, 1 article
  Show sources

  • New ‘BlackSanta’ EDR killer spotted targeting HR departments — www.bleepingcomputer.com — 11.03.2026 00:57

• BlackSanta suppresses Windows notifications and terminates security processes by enumerating and comparing them against a hardcoded list.

  First reported: 11.03.2026 00:57
  1 source, 1 article
  Show sources

  • New ‘BlackSanta’ EDR killer spotted targeting HR departments — www.bleepingcomputer.com — 11.03.2026 00:57

• The campaign has been active for over a year, utilizing BYOD components like RogueKiller and IObitUnlocker.sys.

  First reported: 11.03.2026 00:57
  1 source, 1 article
  Show sources

  • New ‘BlackSanta’ EDR killer spotted targeting HR departments — www.bleepingcomputer.com — 11.03.2026 00:57