Fake job applications pack malware that kills EDR before stealing data

Steven

Fake job applications pack malware that kills EDR before stealing data

Summary

A Russian-speaking threat actor is using fake CVs hosted on familiar cloud services to trick HR staff into downloading ISO files that mount as virtual drives. Opening the ISO launches a chain of hidden actions that unpack a payload concealed inside an image file, run much of the activity in memory, and give attackers a foothold on the machine.

The campaign includes a component called “BlackSanta” — an “EDR killer” that uses Bring Your Own Vulnerable Driver (BYOVD) techniques to load legitimate but vulnerable kernel drivers, escalate privileges, and disable defences such as antivirus processes, EDR agents and some Windows Defender logging. Once defences are down, the malware hunts for sensitive files and crypto-related artefacts and exfiltrates them over encrypted channels.

Key Points

  • Attackers send fake job applications containing ISO images that mount like a virtual drive when opened.
  • Payload is hidden inside an image file to evade detection and much of its activity occurs in memory.
  • BlackSanta component targets and disables EDR and antivirus tools using BYOVD (Bring Your Own Vulnerable Driver).
  • With defences disabled, the attackers search for sensitive documents and cryptocurrency artefacts for exfiltration.
  • HR workflows are attractive targets because recruiters routinely download files from strangers and process many applications under time pressure.
  • Aryaka’s report urges organisations to apply the same defensive rigour to HR as to finance and IT admin functions.

Context and relevance

This campaign highlights a broader shift in attacker tradecraft: targeting non-IT business units that habitually receive external files. HR inboxes and recruitment pipelines are low-friction entry points that can bypass perimeter controls if staff are not trained or systems are not hardened. The use of BYOVD and memory-resident techniques makes detection and post-compromise forensics harder, raising the stakes for containment and recovery.

Why should I read this?

Look — this isn’t just another malware story. If you run or support HR, or manage endpoint security, this directly affects you. It shows how a routine CV can be weaponised to kill your EDR and nick your most sensitive files. Read it to stop the next recruiter from accidentally handing crooks the keys.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/03/10/malware_targeting_hr/