Fake job applications pack malware that kills EDR before stealing data

Steven

Fake job applications pack malware that kills EDR before stealing data

Summary

Researchers at Aryaka have detailed a campaign in which Russian-speaking attackers send fake CVs to corporate HR teams. The lure is an ISO file hosted on a familiar cloud-storage link. When mounted, the ISO contains a shortcut that launches hidden commands, which unpack malware concealed inside an image file and execute much of the activity in memory to avoid detection.

The operation includes a component called “BlackSanta” — an EDR killer that uses a Bring Your Own Vulnerable Driver (BYOVD) technique to load legitimate but buggy kernel drivers, gain kernel-level access, and then disable security tools (antivirus, EDR agents, weaken Microsoft Defender and mute some logs). After defences are knocked out, the malware hunts for sensitive files and cryptocurrency artefacts and exfiltrates them over encrypted channels.

Key Points

  • Attackers target HR by sending seemingly normal CVs hosted on cloud storage to encourage quick downloads.
  • Payload is delivered as an ISO; a shortcut inside executes hidden commands that unpack malware from an image file.
  • Much of the malicious activity runs in memory, reducing forensic traces and making detection harder.
  • BlackSanta is an EDR-killer that uses BYOVD — loading vulnerable legitimate kernel drivers to gain deep system control.
  • Once EDR/AV are disabled, the malware searches for sensitive documents and crypto-related data and exfiltrates it securely.
  • Recruitment workflows are highlighted as a low-risk-but-high-opportunity vector for attackers.

Context and relevance

This attack shows a shift towards exploiting non-technical business workflows — HR inboxes and hiring processes — where teams habitually handle external files and operate under time pressure. For defenders, it underscores that perimeter or IT-focused controls alone are insufficient: social engineering + creative packaging (ISO + image-based payloads + in-memory execution) can bypass typical endpoint protections. The BYOVD approach and EDR-killer capability make post-compromise activity far more damaging because defenders may be blindfolded before theft begins.

Why should I read this?

Look, this isn’t your usual phishing link — it’s a CV that quietly neuters your security tools. If you work in HR, IT or security, it’s a proper wake-up call: stop treating HR inboxes like low-risk junk mail. The attack is clever, stealthy and built to make detection pointless before data is grabbed. Read the details so you can actually do something about it (bunch of basic controls + training will save you a lot of pain).

Source

Source: https://www.theregister.com/2026/03/10/malware_targeting_hr/