For greater than a yr, a Russian-speaking risk actor focused human useful resource (HR) departments with malware that delivers a brand new EDR killer named BlackSanta.
Described as “subtle,” the marketing campaign mixes social engineering with superior evasion methods to steal delicate data from compromised programs.
It’s unclear how the assault begins, however researchers at Aryaka, a community and safety options supplier, suspect that the malware is distributed through spear-phishing emails.
They imagine that targets are directed to obtain ISO picture information that seem as resumes and are hosted on cloud storage providers, comparable to Dropbox.
One malicious ISO analyzed contained 4 information: a Home windows shortcut (.LNK) disguised as a PDF file, a PowerShell script, a picture, and a .ICO file.
Supply: Aryaka
The shortcut launches PowerShell and executes the script, which extracts knowledge hidden within the picture file utilizing steganography and executes it in system reminiscence.
The code additionally downloads a ZIP archive containing a legit SumatraPDF executable and a malicious DLL (DWrite.dll) to load utilizing the DLL sideloading approach.
Supply: Aryaka
The malware performs system fingerprinting and sends the knowledge to the command-and-control (C2) server, after which performs in depth setting checks to cease execution if sandboxes, digital machines, or debugging instruments are detected.
It additionally modifies Home windows Defender settings to weaken safety on the host, performs disk-write exams, after which downloads extra payloads from the C2, that are executed through course of hollowing, inside legit processes.
BlackSanta EDR killer
A key part delivered within the marketing campaign is an executable recognized because the BlackSanta EDR killer, a module that silences endpoint safety options earlier than deploying malicious payloads.
BlackSanta provides Microsoft Defender exclusions for ‘.dls’ and ‘.sys’ information, and modifies a Registry worth to scale back telemetry and automated pattern submission to Microsoft safety cloud endpoints.
The researchers’ report (PDF) notes that BlackSanta can even suppress Home windows notifications to reduce or fully silence person alerts. The core operate of BlackSanta is to terminate safety processes, which it does by:
- enumerating operating processes
- evaluating the names in opposition to a big hardcoded listing of antivirus, EDR, SIEM, and forensic instruments
- retrieving the matching course of IDs
- utilizing the loaded drivers to unlock and terminate these processes on the kernel degree
Supply: Aryaka
Aryaka didn’t share particulars concerning the goal organizations or the risk actors behind the marketing campaign, and couldn’t retrieve the ultimate payload used within the noticed case, because the C2 server was unavailable on the time of their examination.
The researchers had been in a position to determine extra infrastructure utilized by the identical risk actor and found a number of IP addresses associated to the identical marketing campaign. That is how they realized that the operation had been operating unnoticed for the previous yr.
Wanting on the IP addresses, the researchers uncovered that the malware additionally downloaded Deliver Your Personal Driver (BYOD) elements that included the RogueKiller Antirootkit driver v3.1.0 from Adlice Software program, and IObitUnlocker.sys v1.2.0.1 from IObit.
These drivers have been utilized in malware operations (1, 2) to achieve elevated privileges on the compromised machine and suppress safety instruments.
RogueKiller (truesight.sys) permits manipulation of kernel hooks and reminiscence monitoring, whereas IObitUnlocker.sys permits bypassing file and course of locks. This mix offers the malware with low-level entry to system reminiscence and processes.
Aryaka researchers say the risk actor behind the marketing campaign exhibits robust operational safety and makes use of context-aware, stealthy an infection chains to deploy elements comparable to BlackSanta EDR.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your safety stack is blinded.
