ISO Curriculus as Beds the BlackSanta Campaign disables EDR and steals data

For more than a year, a Russian-speaking threat actor has run a campaign for human resources departments that combines social engineering with advanced evasion techniques to extract information from committed equipment. The attackers posing as candidates and used ISO image files that contained what appeared to be curriculus, housed in cloud storage services, such as Dropbox, with the aim of deceiving the contracting officers to download and open those containers.

The analysis of the researchers of the Aryaka network and security solutions company reveals a chain of infection designed to pass unnoticed. In the malicious ISOs examined four elements appeared: a direct access of Windows (.LNK) that simulated being a PDF, a PowerShell script, an image and an icon (.ICO). By opening the direct access, PowerShell was launched to run the script, which in turn it extracted hidden data inside the image by means of steganography and ran them only in memory, preventing malicious files from being visible on the disk.

In addition, the script downloaded a ZIP file that included a legitimate version of SumatraPDF reader along with a malicious DLL (DWrite.dll) designed to load it by means of the technique known as DLL sideloading. This technique takes advantage of signed or legitimate executables to load manipulated bookstores, which complicates the detection by traditional solutions. The code then collected information from the system (fingerprinting) and sent it to a control and control server (C2), while conducting environmental checks: if it detected virtual machines, sandboxes or debugging tools, it aborted the execution to avoid giving up.

A central part of the operation is an executable identified as BlackSanta, described by the authors of the report as an "EDR killer." Its purpose is to deactivate or neutralize endpoints protections before more dangerous payloads are deployed. Among its documented actions is the creation of exclusions in Microsoft Defender for specific extensions (e.g. .dls and .sys files) and the modification of Registry keys to reduce telemetry and automatic sampling to Microsoft cloud security services. The Aryaka report also points out that BlackSanta can delete Windows notifications to minimize user-visible alerts and that its main mechanism is to detect processes related to antivirus, EDR, SIEM and forensic tools to end them by calling on charged controllers acting at the kernel level.

The researchers also found additional infrastructure linked to the same actor and found that the campaign had been operating without being detected for a year. The analysis of the IP addresses used by the attackers showed downloads of "Bring Your Own Driver" (BYOD) components, including legitimate but abused controllers, such as the RogueKiller (from Adlice) and IObitUnlocker anti-rootkit. These controllers, originally developed for legitimate purposes, have been used in malicious operations to obtain high privileges and manipulate kernel hooks or remove file and process blocks, which gives the attacker a low-level access very difficult to contain from the compromised system itself.

The technique of running loads in memory, hiding instructions in images, using DLL sideloading and abusing legitimate drivers forms a chain of commitments designed to avoid signatures and sandboxes. The result is a stealth and adaptable operation with an actor that takes care of its operational security so that its tools - such as BlackSanta - can be deployed and operated without being interrupted by the usual defenses.

For those who manage selection processes there is a clear lesson: the attackers have turned the curriculus into effective onions. Open an ISO or run a file received from an unverified source can trigger an intrusion that first disables the protection of the equipment and then downloads more harmful components. Organizations should review policies and controls to ensure that montable or executable files downloaded from external links are opened without verification and that driver handling requires high approvals and audit.

If you want to deepen the technical details, Aryaka's own report offers a technical analysis and behavioral samples by observing the campaign: technical report of Aryaka (PDF). To understand why the use of legitimate drivers is especially dangerous, you can check the pages of the developers of those drivers, such as Adlice for RogueKiller ( adlice.com / roguekiller) and IObit for IObit Unlocker ( iobit.com / iobit-unlocker), where its legitimate purpose is explained and how its abuse constitutes a vector of lifting privileges. To complement the vision of how these techniques have appeared in other campaigns and how defenders can mitigate them, there are specialized coverage in cybersecurity media that have highlighted the use of drivers signed by attackers to neutralize EDR, for example in BleepingComputer, and the official documentation of Microsoft clarifies how exclusions and telemetry in Defense ( Microsoft Defender documentation).

What should the responsible teams do today? Avoid HR treating ISO or executable files without validation, impose virtual image download and assembly controls, audit changes in the Register and antivirus exclusions, and restrict the installation of unreviewed drivers. It is also recommended to monitor the outgoing traffic to unknown servers, correlate system fingerprinting signals and abnormal behavior (memory execution, child-injecting processes) and maintain clear communication between RR. HH and security teams to ensure that any suspicious curriculum is treated as a potential incident.

The campaign that BlackSanta delivers recalls that the attack surface evolves beyond the phishing "obvious" emails: the attackers combine human deception with complex technical tools to silence defenses and remain within the networks. Effective protection goes through technical policies (ISOs mounting block, strict driver control, EDR with protected telemetry) and practical training for CVs to recognize risk signals before interacting with potentially dangerous files. For general information on how to identify and react to subplanting posts, the guide of the US Infrastructure and Cybersecurity Agency. UU may be useful: CISA recommendations on phishing.

In short, BlackSanta is not just another piece of malware: it is the fruit of an operation that mixes directed social engineering, execution in memory, use of auxiliary loads and abuse of legitimate components to silence defenses. This approach also requires coordinated responses between RR. HH., IT and security to close the exposure windows and detect early signals before the attackers get to remove the protection barriers.