BlackSanta Malware A Stealthy Threat Targeting Recruiters and HR Teams

A new, highly sophisticated malware campaign named BlackSanta has emerged, primarily targeting HR and recruitment professionals. This attack is being operated by Russian-speaking threat actors and involves stealthy infection methods that begin with spear-phishing emails. These emails contain malicious files disguised as job applications, allowing attackers to silently infiltrate systems, disable security measures, and exfiltrate sensitive data without detection. Below, we’ll dive deeper into how this malware campaign operates, specifically the initial infection vector and its implications for HR teams and organizations.

The Initial Infection Vector

The BlackSanta malware campaign begins with spear-phishing emails, which are tailored to appear legitimate. These emails typically carry links that lead to malicious ISO files hosted on cloud storage platforms like Dropbox or Google Drive. The ISO file, named in a way that seems plausible to the recipient, such as “Celine_Pesant.iso”, mimics a resume from a job applicant. This clever social engineering tactic is designed to catch the attention of recruiters and HR professionals who frequently receive resumes from various candidates.

Once the recipient clicks the link, they are directed to download the ISO file, which may appear harmless at first glance. However, once opened, the ISO file mounts itself as a virtual drive on the victim’s system, making it appear just like any other local disk or drive. Upon examining the contents of the ISO, the victim sees what seems like a standard resume file, but lurking within the folder are several malicious components designed to trigger a chain of infection.

Inside the ISO file, four critical files are usually present:

File Name	Description
Celine_Pesant.pdf.lnk	A Windows shortcut file that appears to be a PDF document but is actually a malicious executable.
image1.png	An image file used for steganography, which hides further malicious payloads inside its pixel data.
script.ps1	A PowerShell script that initiates the execution of the attack by running hidden commands and bypassing security settings.
wintes.ico	A file designed to mislead the victim into thinking it is a harmless component, distracting from its malicious purpose.

When the victim clicks on the Celine_Pesant.pdf.lnk shortcut, it runs an obfuscated PowerShell script. The script sets up the next stage of the infection by executing hidden commands, bypassing Windows security policies, and running the script.ps1 file from the mounted ISO.

Execution and Payload Delivery

The PowerShell script is designed to extract malicious data hidden inside the image1.png file using steganography. This technique encodes the payload inside the image’s pixel data, making it harder for traditional security systems to detect. Once the hidden payload is extracted, it’s decoded and executed in memory. This allows the malware to remain hidden during the initial stages of infection.

The extracted payload downloads a ZIP file, SumatraPDF.zip, from an attacker-controlled domain, resumebuilders.us. While the name of the domain may seem related to a resume-building service, it is, in fact, a malicious site used to distribute additional malware. The ZIP file contains a legitimate copy of the SumatraPDF PDF viewer along with a tampered DWrite.dll file. This is where the DLL sideloading technique comes into play.

By placing the tampered DWrite.dll file in the same directory as SumatraPDF.exe, the malware tricks the system into loading the malicious DLL instead of the legitimate system DLL. This sideloading method allows the attacker to bypass security and gain control over the infected system without triggering alarms.

Evasion and System Fingerprinting

Once the DLL is successfully sideloaded, the malware begins its system fingerprinting phase. It collects details about the operating system, user accounts, and host configuration by reading the system registry and environment variables. This helps the attacker tailor future actions based on the specific system configuration and avoid detection in specific environments.

The malware performs several defense evasion techniques to avoid detection. It checks for the presence of virtual machines (VMs), sandboxes, debuggers, and analysis tools to ensure it is not running in a controlled or monitored environment. If it detects any such systems, it will terminate its execution. This demonstrates the threat actor’s advanced operational security, ensuring the malware remains undetected.

Moreover, BlackSanta is designed to evade endpoint detection by targeting antivirus and EDR (Endpoint Detection and Response) software. This specialized EDR-killer module disables security measures, allowing the subsequent malware components to run freely without being flagged by traditional defenses. This makes BlackSanta particularly dangerous, as it neutralizes the very tools that are meant to detect and stop it.

Conclusion

The BlackSanta malware campaign represents a highly sophisticated threat targeting recruitment workflows and HR professionals. Through spear-phishing emails, DLL sideloading, and advanced evasion techniques, the malware silently compromises systems and steals sensitive data while bypassing security defenses. For HR teams and organizations, the primary defense against such threats is awareness and vigilance. Strong email filtering, endpoint protection, and network security tools, can help detect and stop these attacks before they cause significant damage.

For organizations, a multi-layered security strategy is essential to protect against such evolving threats. Regular updates to security tools and continuous monitoring of network and endpoint activity can help organizations stay one step ahead of attackers and ensure that campaigns like BlackSanta are detected early before they escalate.