A threat campaign against human resource (HR) departments has recently been launched. What seems like a decent resume actually is malicious software that kills security defenses, including antivirus programs and Endpoint Detection and Response (EDR) tools.

“An HR professional receives what appears to be a perfectly normal resume. The candidate profile seems relevant. The hosting link points to a familiar cloud storage service. Nothing feels suspicious. A quick download, a double click, and an ISO file mounts, and the intrusion begins,” cybersecurity firm Aryaka writes in a recently published report.

The report details an active threat campaign against recruiters. Initial access is gained by sending a resume-themed ISO file that’s been hosted in a trusted cloud platform. When the victim opens the contents of the file, a malicious LNK shortcut is executed, triggering the next phase without immediately raising suspicion.

During the second stage, the shortcut launches obfuscated PowerShell commands to extract hidden payloads that are embedded within a steganographic image. A malicious DLL is then sideloaded using a legitimate signed application, allowing the attacker’s code to secretly run under the guise of trusted software.

The attacker then dives deeper into the target’s system. The malware connects to a command-and-control (C2) server and sends confidential information that’s stored on the compromised computer.

What makes the campaign especially concerning is a module called BlackSanta, a dedicated Bring-Your-Own-Vulnerable-Driver (BYOVD)-based component that disables security measures designed to protect a company’s data at the kernel level, clearing the path for credential harvesting, system reconnaissance, and eventual data exfiltration with minimal resistance.

When the target’s defenses are down, the malware begins collecting any valuable data it can find. According to Aryaka, hackers are particularly interested in sensitive files and cryptocurrency-related artifacts.

“It is not opportunistic malware. It is operationally disciplined intrusion engineering. This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft,” the cybersecurity firm says.

According to Aditya Sood, vice president of security engineering and AI strategy at Aryaka, recruitment departments are considered high-value attack surfaces nowadays. “Organizations should treat HR workflows with the same defensive rigor as finance and IT administrative functions,” he recommends.

---

Unlock more exclusive Cybernews content on YouTube.