A Russian-speaking threat actor targeted HR departments for over a year using spear-phishing ISO “resumes” that deploy a sophisticated EDR killer called BlackSanta. BlackSanta weakens and terminates endpoint protections via Defender exclusions, registry changes, notification suppression, DLL sideloading, and kernel‑level process termination. #BlackSanta #RogueKiller
Keypoints
- The actor distributed ISO files masquerading as resumes, likely via spear‑phishing and cloud storage links.
- ISOs contained a .LNK that launched PowerShell, used steganography to extract code from an image, and executed payloads in memory.
- Attackers used DLL sideloading with a legitimate SumatraPDF executable to load a malicious DWrite.dll and deploy further components.
- BlackSanta modifies Defender settings, suppresses notifications, and enumerates and terminates a long hardcoded list of security processes at the kernel level.
- The campaign downloaded signed drivers like RogueKiller and IObitUnlocker to gain kernel privileges and evade detection, and operated unnoticed for over a year.