For more than a year, a Russian-speaking threat actor targeted human resource (HR) departments with malware that delivers a new EDR killer named BlackSanta.

Described as "sophisticated," the campaign mixes social engineering with advanced evasion techniques to steal sensitive information from compromised systems.

It is unclear how the attack begins, but researchers at Aryaka, a network and security solutions provider, suspect that the malware is distributed via spear-phishing emails.

They believe that targets are directed to download ISO image files that appear as resumes and are hosted on cloud storage services, such as Dropbox.

One malicious ISO analyzed contained four files: a Windows shortcut (.LNK) disguised as a PDF file, a PowerShell script, an image, and a .ICO file.

The shortcut launches PowerShell and executes the script, which extracts data hidden in the image file using steganography and executes it in system memory.

The code also downloads a ZIP archive containing a legitimate SumatraPDF executable and a malicious DLL (DWrite.dll) to load using the DLL sideloading technique.

The malware performs system fingerprinting and sends the information to the command-and-control (C2) server, and then performs extensive environment checks to stop execution if sandboxes, virtual machines, or debugging tools are detected.

It also modifies Windows Defender settings to weaken security at the host, performs disk-write tests, and then downloads additional payloads from the C2, which are executed via process hollowing, inside legitimate processes.

BlackSanta EDR killer

A key component delivered in the campaign is an executable identified as the BlackSanta EDR killer, a module that silences endpoint security solutions before deploying malicious payloads.

BlackSanta adds Microsoft Defender exclusions for ‘.dls’ and ‘.sys’ files, and modifies a Registry value to reduce telemetry and automatic sample submission to Microsoft security cloud endpoints.

The researchers' report (PDF) notes that BlackSanta can also suppress Windows notifications to minimize or completely silence user alerts. The core function of BlackSanta is to terminate security processes, which it does by:

1. enumerating running processes
2. comparing the names against a large hardcoded list of antivirus, EDR, SIEM, and forensic tools
3. retrieving the matching process IDs
4. using the loaded drivers to unlock and terminate those processes at the kernel level

Aryaka did not share details about the target organizations or the threat actors behind the campaign, and couldn’t retrieve the final payload used in the observed case, as the C2 server was unavailable at the time of their examination.

The researchers were able to identify additional infrastructure used by the same threat actor and discovered multiple IP addresses related to the same campaign. This is how they learned that the operation had been running unnoticed for the past year.

Looking at the IP addresses, the researchers uncovered that the malware also downloaded Bring Your Own Driver (BYOD) components that included the RogueKiller Antirootkit driver v3.1.0 from Adlice Software, and IObitUnlocker.sys v1.2.0.1 from IObit.

These drivers have been used in malware operations (1, 2) to gain elevated privileges on the compromised machine and suppress security tools.

RogueKiller (truesight.sys) allows manipulation of kernel hooks and memory monitoring, while IObitUnlocker.sys allows bypassing file and process locks. This combination provides the malware with low-level access to system memory and processes.

Aryaka researchers say the threat actor behind the campaign shows strong operational security and uses context-aware, stealthy infection chains to deploy components such as BlackSanta EDR.