A Russian-speaking cyber criminal is targeting corporate HR teams with fake CVs that quietly install malware which can disable security tools before stealing data from infected machines.

The operation, detailed in a [1]threat report from networking and security outfit Aryaka , exploits one of the most mundane workflows within an organization: hiring.

Researchers say the bait arrives as what looks like a perfectly normal job application sitting on a well-known cloud storage service. To the recruiter skimming through a stack of candidates, it appears to be just another CV, but opening it quietly kicks off a series of background actions that knock out security tools and hand the attackers a foothold on the machine.

[2]

"An HR professional receives what appears to be a perfectly normal resume," said Aditya K Sood, VP of Security Engineering and AI Strategy at Aryaka. "The candidate profile seems relevant. The hosting link points to a familiar cloud storage service. Nothing feels suspicious. A quick download, a double click, and an ISO file mounts, and the intrusion begins."

[3]

[4]

The malicious document arrives as an ISO disk image, a file format Windows can mount like a virtual drive. Once opened, the archive contains a shortcut that quietly launches hidden commands in the background. Those commands unpack malware concealed inside an image file – a trick designed to make the payload harder for security tools to spot.

From there, the attack burrows deeper into the system. The malware connects to remote infrastructure controlled by the attackers and begins gathering details about the compromised machine before pulling down additional instructions. Much of the activity runs directly in memory, leaving fewer traces behind for defenders to discover later.

[5]

The campaign's most concerning feature is a component dubbed "BlackSanta," which the report describes as an EDR killer – software specifically designed to disable the very tools meant to detect intrusions.

[6]AWS says more than 600 FortiGate firewalls hit in AI-augmented campaign

[7]SantaStealer stuffs credentials, crypto wallets into a brand new bag

[8]MI6 chief: We'll be as fluent in Python as we are in Russian

[9]CISA flags imminent threat as Akira ransomware starts hitting Nutanix AHV

BlackSanta leans on a tactic known as Bring Your Own Vulnerable Driver, loading legitimate but buggy kernel drivers to gain deeper control of the system. Once it has that level of access, the malware can start knocking down defenses – killing antivirus processes, disabling EDR agents, weakening Microsoft Defender, and even muting some logs that might otherwise tip off administrators that something is amiss.

In practical terms, the tool clears the security guards out of the building before the burglars start rifling through the filing cabinets.

Once defenses are disabled, the malware shifts to data collection, hunting for useful information on the infected device. According to the report, the attackers are particularly interested in sensitive files and cryptocurrency-related artifacts. Any valuable data it finds is quietly exfiltrated over encrypted connections.

The broader lesson is that recruitment pipelines have become a surprisingly effective entry point for attackers, according to Aryaka. Hiring teams regularly download files from strangers and work under pressure to process large volumes of applications, making them an attractive target compared with more tightly controlled IT environments.

[10]

For companies that treat HR inboxes as low-risk territory, this report shows that attackers are increasingly happy to start their break-ins where the guard is least likely to be watching.

"Organizations should treat HR workflows with the same defensive rigor as finance and IT administrative functions," concluded Sood. ®

Get our [11]Tech Resources



[1] https://www.aryaka.com/reports-and-guides/blacksanta-edr-killer-threat-report/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2abBOOWM06IvAh1Bsa7JRNgAAARY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44abBOOWM06IvAh1Bsa7JRNgAAARY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33abBOOWM06IvAh1Bsa7JRNgAAARY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44abBOOWM06IvAh1Bsa7JRNgAAARY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2026/02/23/aws_fortigate_firewalls/

[7] https://www.theregister.com/2025/12/16/santastealer_stuffs_users_credentials_crypto/

[8] https://www.theregister.com/2025/12/16/mi6_chief_well_be_as/

[9] https://www.theregister.com/2025/11/14/cisa_akira_ransomware/

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33abBOOWM06IvAh1Bsa7JRNgAAARY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[11] https://whitepapers.theregister.com/