Allegedly Russian-speaking hackers are targeting recruitment teams with a malware campaign that hides inside fake job applications. Aryaka, a network security firm, published research on March 11, 2026, detailing an operation it calls BlackSanta that uses resume-themed ISO files delivered through cloud hosting services like Dropbox to infect corporate endpoints. The campaign has been running for over a year.
The attack exploits one thing recruiters cannot avoid. They open files from strangers. An HR employee receives what looks like a normal job application with a link to a CV on a cloud storage platform. In one case documented by Aryaka, the bait file used the name "Celine_Pesant."
A Dropbox-hosted link delivers the ISO file. When the victim mounts it, a malicious Windows shortcut (LNK) file executes, triggering the infection chain.
Obfuscated PowerShell commands run next. The malware extracts hidden payloads from a steganographic image, a technique where malicious code is embedded inside a normal-looking picture file. A malicious DLL is then sideloaded using a legitimate signed application, letting the attacker's code run under the guise of trusted software.
The malware is cautious. It inspects the hostname, username patterns, and Windows locale settings before activating. If it detects virtualization artifacts or debugging tools commonly found in security research sandboxes, it stays dormant.
Aryaka calls the core module BlackSanta. It is an EDR killer, a tool designed to disable Endpoint Detection and Response software. BlackSanta uses BYOVD (Bring Your Own Vulnerable Driver), loading a legitimate but outdated kernel driver with known security flaws to reach kernel mode.
Kernel access gives BlackSanta full control of the endpoint. It terminates antivirus processes, shuts down EDR agents, weakens Microsoft Defender protections, suppresses system logging, and removes visibility from security consoles. Aryaka's Aditya Sood described the operation as "operationally disciplined intrusion engineering" that blends social engineering, living-off-the-land techniques, and kernel-level abuse.
Recruitment pipelines, often perceived as routine operations, are now high-value attack surfaces. Organizations should treat HR workflows with the same defensive rigor as finance and IT administrative functions.
— Sood, VP of security engineering at Aryaka, wrote in the company's blog post
With EDR neutralized, the attackers search for cryptocurrency wallets and sensitive employee data. Communication with C2 (command-and-control) servers runs over encrypted HTTPS. Commands are dynamically decrypted and executed in memory, with additional payloads delivered through process hollowing to minimize forensic traces.
BYOVD attacks have surged in 2025 and 2026. Reynolds ransomware, identified in February 2026, bundled a vulnerable NSecKrnl driver (CVE-2025-68947) directly into its binary, according to Symantec and Carbon Black. In early February 2026, Huntress responded to an intrusion where attackers used a revoked EnCase forensic driver from 2010 to kill 59 security processes.
DeadLock ransomware used the same technique in December 2025. Cisco Talos found it exploiting a Baidu Antivirus driver vulnerability (CVE-2024-51324). Microsoft's Vulnerable Driver Blocklist exists to counter BYOVD, but attackers keep finding signed drivers that Windows will still load.
Aryaka did not name the specific vulnerable driver BlackSanta uses. No indicators of compromise appeared in the public blog post. The full technical report is available through the company's threat research lab.
Recruitment workstations need tighter controls. HR teams should restrict ISO file mounting, enforce application control policies that block unsigned executables, and enable Microsoft's Vulnerable Driver Blocklist and HVCI (Hypervisor-Protected Code Integrity). Workstations that handle external attachments should be segmented from the corporate network. Any unexpected PowerShell execution triggered by a shortcut file is a red flag.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
