Aryaka Threat Labs disclosed on March 11, 2026 a multi-stage campaign dubbed BlackSanta that has been active for over a year, targeting HR departments and job recruiters with resume-themed ISO files. The campaign uses a Bring-Your-Own Vulnerable Driver (BYOVD) technique to disable endpoint detection and response (EDR) tools at the kernel level before deploying its final payload.
Attack Chain
The attack begins with spear-phishing emails containing links to resume-themed ISO files hosted on cloud storage services (Dropbox confirmed). When a victim mounts the ISO, a Windows shortcut (.LNK) file triggers a multi-stage execution chain:
- Steganography extraction — PowerShell extracts hidden commands from an embedded PNG image using Least Significant Bit (LSB) decoding, executing the payload in memory via
Invoke-Expression - DLL sideloading — A legitimate, digitally signed copy of
SumatraPDF.exeis used to load a maliciousDWrite.dll(named after the legitimate Windows DirectWrite library) - Reconnaissance — The malicious DLL fingerprints the system, checks for sandboxes and VMs, then downloads the BlackSanta EDR killer module over encrypted HTTPS
BYOVD Kernel Exploitation
BlackSanta loads two legitimate-but-vulnerable kernel drivers to terminate security processes:
truesight.sys(RogueKiller Antirootkit, v3.4.0 and below) — IOCTL code0x22E044enables arbitrary process termination via kernel hook manipulation. Pre-2015 signed versions bypass the Microsoft Vulnerable Driver Blocklist.IObitUnlocker.sys(v1.1.2) — Associated withCVE-2020-14974andCVE-2020-14975(CVSS 8.8). IOCTL code0x222124allows file unlocking, deletion, and process termination at SYSTEM level.
Once loaded, BlackSanta enumerates running processes, compares them against a hardcoded list of AV/EDR/SIEM executables, and terminates matches at ring-0. It also adds Microsoft Defender exclusions for .dls and .sys files, disables telemetry via Registry modifications, and suppresses Windows notifications.
Implications for European Organisations
The campaign specifically exploits HR workflows where opening candidate documents is routine and expected. Organisations subject to NIS2 should review kernel driver loading policies, implement ELAM (Early Launch Antimalware) protections, and consider restricting ISO file mounting from external sources.