Full Report
For more than a year, a Russian-speaking threat actor targeted human resource (HR) departments with malware that delivers a new EDR killer named BlackSanta. [...]
Analysis Summary
# Threat Actor: Unnamed Russian-speaking Actor
## Attribution & Identity
- **Origin:** Russian-speaking (based on linguistic indicators and TTPs).
- **Status:** Unnamed/Emerging.
- **Characteristics:** Highly sophisticated, strong operational security (OpSec), and utilizes context-aware, stealthy infection chains.
## Activity Summary
- **Campaign Period:** Active for at least one year (since early 2025/late 2024).
- **Recent Operations:** Targeted campaigns against Human Resource (HR) departments using a multi-stage infection chain to deploy a custom security-evasion tool named **BlackSanta**. The campaign relies on social engineering (fake resumes) and advanced persistence/evasion techniques.
## Tactics, Techniques & Procedures
- **Social Engineering:** Spear-phishing targeting HR staff with themes related to job applications/resumes.
- **Initial Access:** Delivery of malicious ISO image files hosted on cloud services (Dropbox).
- **Steganography:** Hiding malicious code within image files to bypass network security scanners.
- **Execution:**
- Windows Shortcut (.LNK) files disguised as PDFs.
- DLL Sideloading (using a legitimate `SumatraPDF` executable to load a malicious `DWrite.dll`).
- Process Hollowing to execute final payloads inside legitimate system processes.
- **Defense Evasion:**
- **EDR Killing:** Use of the custom "**BlackSanta**" module.
- **BYOVD (Bring Your Own Vulnerable Driver):** Exploiting legitimate but vulnerable drivers to gain kernel-level access.
- **Host Weakening:** Modifying Registry keys to reduce telemetry/sample submission and adding Windows Defender exclusions for `.dls` and `.sys` files.
- **Anti-Analysis:** Environment checks for sandboxes, VMs, and debuggers.
- **MITRE ATT&CK IDs:**
- T1566 (Phishing)
- T1553.005 (Subvert Trust Controls: Gatekeeper Bypass)
- T1027.003 (Obfuscated Files or Information: Steganography)
- T1574.002 (Hijack Execution Flow: DLL Side-Loading)
- T1055.012 (Process Injection: Process Hollowing)
- T1068 (Exploitation for Privilege Escalation)
- T1562.001 (Impair Defenses: Disable or Modify Tools)
## Targeting
- **Sectors:** Human Resources (HR) departments across various industries.
- **Geography:** Undisclosed, but infrastructure indicates a global reach with Russian-speaking origins.
- **Victims:** Corporate HR departments targeted via recruitment-themed lures.
## Tools & Infrastructure
- **Malware:**
- **BlackSanta:** An "EDR killer" executable designed to terminate security processes at the kernel level.
- **SumatraPDF:** Legitimate binary used for DLL sideloading.
- **Drivers (BYOVD):**
- RogueKiller Antirootkit driver v3.1.0 (`truesight.sys`)
- IObitUnlocker.sys v1.2.0.1
- **Payload/Persistence:** PowerShell scripts, `.LNK` files, and `.ISO` containers.
- **Infrastructure:**
- **Cloud Storage:** `dropbox[.]com`
- **C2:** Multiple IP addresses (unspecified in article, but identified by researchers).
- **Files:** `DWrite.dll` (malicious loader).
## Implications
This actor demonstrates a high level of technical proficiency by combining social engineering with kernel-level exploitation. The focus on HR departments is strategic, as these employees frequently open attachments from unknown external sources (applicants). The use of the "BlackSanta" tool signifies a growing trend where threat actors prioritize the total neutralization of EDR/AV solutions before executing their primary objectives (likely data exfiltration or ransomware).
## Mitigations
- **Endpoint Protection:** Implement EDR solutions that monitor for the loading of known vulnerable drivers (BYOVD protection) and unauthorized Registry modifications.
- **Email Security:** Use advanced threat protection to scan for and block ISO/LNK attachments in incoming emails.
- **Attack Surface Reduction:** Block the execution of unsigned or untrusted DLLs and monitor for DLL sideloading in common productivity applications.
- **User Training:** Conduct specialized phishing simulations for HR personnel regarding the risks of downloading files (ISO, ZIP, LNK) from recruitment-themed links.
- **System Hardening:** Restrict administrative privileges to prevent the installation of unauthorized kernel drivers.