Aryaka Threat Labs identified a sophisticated malware campaign operated by a Russian-speaking threat actor, targeting primarily HR and recruitment personnel. Potential victims may be reached via emails containing links to download seemingly legitimate files disguised as resumes. Once accessed, these files initiate a staged infection chain that silently compromises the system.
The malware performs extensive system reconnaissance, collecting information about the operating system, user accounts, and host configuration. It conducts environment checks to detect virtual machines, sandboxes, debuggers, and restricted geographic regions, avoiding execution in monitored or controlled environments. It also employs multiple defense evasion techniques, including disabling or bypassing endpoint security solutions.
A key component of this campaign is BlackSanta, a specialized EDR-killer module designed to neutralize antivirus and EDR protections before additional malicious payloads are deployed. This ensures that subsequent malware components can execute undetected, giving the threat actor complete control over compromised systems.
