Ethical Hacking News
Aryaka reveals a new tactic being used by Russian-speaking attackers to target corporate machines through fake job applications, which pack malware that can disable security tools and steal data from infected devices. The campaign, dubbed "BlackSanta," uses an EDR killer component to gain deeper control of the system and carry out further malicious activities.
Cybersecurity experts have identified a new tactic used by Russian-speaking attackers targeting corporate HR teams. The attack uses fake job applications with malware that can disable security tools and steal data from infected machines. The malware is designed to be difficult for security tools to spot, using techniques such as packing the payload into an image file. The attackers use a component called "BlackSanta" to disable EDR agents and other security measures, allowing them to gain deeper control of the system. The malware shifts to data collection after defenses are disabled, hunting for sensitive files and cryptocurrency-related artifacts. The attack highlights the dangers of treating HR inboxes as low-risk territory, with attackers becoming more sophisticated in their tactics.
Cybersecurity experts at Aryaka have shed light on a disturbing new tactic used by Russian-speaking attackers to target corporate HR teams. In a threat report, the networking and security outfit details an operation where fake job applications pack malware that can disable security tools before stealing data from infected machines.
The malicious document arrives as an ISO disk image, a file format Windows can mount like a virtual drive. Once opened, the archive contains a shortcut that quietly launches hidden commands in the background. Those commands unpack malware concealed inside an image file – a trick designed to make the payload harder for security tools to spot.
From there, the attack burrows deeper into the system. The malware connects to remote infrastructure controlled by the attackers and begins gathering details about the compromised machine before pulling down additional instructions. Much of the activity runs directly in memory, leaving fewer traces behind for defenders to discover later.
The campaign's most concerning feature is a component dubbed "BlackSanta," which the report describes as an EDR killer – software specifically designed to disable the very tools meant to detect intrusions. This allows the attackers to gain deeper control of the system and carry out further malicious activities, such as knocking down defenses by killing antivirus processes, disabling EDR agents, weakening Microsoft Defender, and even muting some logs that might otherwise tip off administrators that something is amiss.
In practical terms, the tool clears the security guards out of the building before the burglars start rifling through the filing cabinets. Once defenses are disabled, the malware shifts to data collection, hunting for useful information on the infected device. According to the report, the attackers are particularly interested in sensitive files and cryptocurrency-related artifacts. Any valuable data it finds is quietly exfiltrated over encrypted connections.
The broader lesson is that recruitment pipelines have become a surprisingly effective entry point for attackers, according to Aryaka. Hiring teams regularly download files from strangers and work under pressure to process large volumes of applications, making them an attractive target compared with more tightly controlled IT environments.
"Organizations should treat HR workflows with the same defensive rigor as finance and IT administrative functions," concluded Sood. "We're seeing attackers increasingly happy to start their break-ins where the guard is least likely to be watching."
The report highlights the dangers of treating HR inboxes as low-risk territory, as attackers are becoming more sophisticated in their tactics. As one expert noted, fake CVs are a common tool used by attackers to gain access to sensitive data.
Related Information:
https://www.ethicalhackingnews.com/articles/Aryaka-Reveals-the-Dark-Side-of-Hiring-How-Fake-CVs-are-Being-Used-to-Steal-Data-from-Corporate-Machines-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/03/10/malware_targeting_hr/
https://www.theregister.com/2026/03/10/malware_targeting_hr/
https://www.cyberdefensemagazine.com/deepfakes-at-the-gate-how-fake-job-applicants-are-becoming-a-serious-cyber-threat/
Published: Wed Mar 11 11:23:24 2026 by llama3.2 3B Q4_K_M
