Aryaka Threat Labs identified a sophisticated malware campaign operated by aRussian-speaking threat actor, targeting primarily HR and recruitment personnel. Potentialvictims may be reached via emails containing links to download seemingly legitimate filesdisguised as resumes. Once accessed, these files initiate a staged infection chain thatsilently compromises the system.
The malware performs extensive system reconnaissance, collecting information about theoperating system, user accounts, and host configuration. It conducts environment checks todetect virtual machines, sandboxes, debuggers, and restricted geographic regions, avoidingexecution in monitored or controlled environments. It also employs multiple defense evasiontechniques, including disabling or bypassing endpoint security solutions.
A key component of this campaign is BlackSanta, a specialized EDR-killer module designed toneutralize antivirus and EDR protections before additional malicious payloads are deployed.This ensures that subsequent malware components can execute undetected, giving the threatactor complete control over compromised systems.
