Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

BlackSanta

BlackSanta is a specialized malware module and campaign component described as an EDR killer, operated by a Russian-speaking threat actor and primarily targeting human resources and recruitment personnel. The activity has reportedly been active for about a year or more and uses recruitment-themed social engineering, including resume-themed ISO files hosted on trusted cloud services and delivered via spear-phishing or recruitment channels.

The observed infection chain begins when a victim mounts a malicious ISO and opens a disguised LNK file posing as a PDF. The LNK launches obfuscated PowerShell, which extracts hidden payloads from a steganographic image and executes them in memory. The malware then downloads a ZIP archive containing a legitimate SumatraPDF executable and a malicious DWrite.dll, using DLL sideloading for execution. It performs host fingerprinting, collects system information, communicates with command-and-control infrastructure over HTTPS, retrieves cryptographic material to decrypt strings and instructions at runtime, and conducts anti-analysis checks for sandboxes, virtual machines, debuggers, analysis tools, locale, hostname and username patterns, and other environmental indicators. Additional payloads are executed via process hollowing and fileless techniques.

BlackSanta’s core role is defense neutralization. It is described as a BYOVD-based EDR killer that loads legitimate but vulnerable signed kernel drivers, including RogueKiller Antirootkit/truesight.sys v3.1.0 and IObitUnlocker.sys v1.2.0.1, to gain kernel-level access. Using these drivers, BlackSanta enumerates running processes against a hardcoded list of antivirus, EDR, SIEM, and forensic tools, then unlocks and terminates matching security processes at the kernel level. Reported actions include terminating antivirus processes, shutting down EDR agents, weakening Microsoft Defender protections, adding Defender exclusions for .dls and .sys files, modifying registry settings to reduce telemetry and automatic sample submission, suppressing Windows notifications, and suppressing system logging and visibility in security consoles.

Once defenses are weakened, the broader malware chain enables credential harvesting, system reconnaissance, theft of sensitive files and cryptocurrency-related artifacts, and eventual data exfiltration over encrypted channels. Researchers characterized the operation as a mature, multi-stage intrusion combining social engineering, living-off-the-land techniques, steganography, runtime decryption, DLL sideloading, process hollowing, and kernel-level abuse. Aryaka researchers reported the malware in live campaigns but stated they could not retrieve the final payload in at least one case because the C2 server was unavailable. No specific victim organizations were identified in the provided content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

27 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence4

Stage 1 – Initial Access: The attack begins with a resume-themed ISO file delivered through recruitment channels and hosted on a trusted cloud infrastructure.

Execution

4 techniques
T1059.001PowerShellEvidence3

The shortcut launches obfuscated PowerShell commands that extract hidden payloads embedded within a steganographic image.

T1204User ExecutionEvidence1

“…when someone opens the file, it executes a malicious shortcut (LNK), triggering the next phase…”

T1204.001Malicious LinkEvidence1

When the victim mounts the ISO and opens its contents, a malicious shortcut (LNK) is executed, triggering the next phase without raising immediate suspicion.

T1204.002Malicious FileEvidence2

A quick download, a double click, and an ISO file mounts, and the intrusion begins.

Persistence

1 technique
T1112Modify RegistryEvidence1

...modifies a Registry value to reduce telemetry and automatic sample submission to Microsoft security cloud endpoints.

Privilege Escalation

2 techniques
T1055.012Process HollowingEvidence2

additional payloads delivered through process hollowing and fileless techniques to minimize forensic artifacts.

T1068Exploitation for Privilege EscalationEvidence3

BlackSanta deploys a Bring-Your-Own Vulnerable Driver (BYOVD) technique. First, it loads legitimate but exploitable kernel drivers, gaining low-level system access.

Stealth

9 techniques
T1027Obfuscated Files or InformationEvidence2

“The shortcut launches obfuscated PowerShell commands…”

T1027.003SteganographyEvidence3

The shortcut launches obfuscated PowerShell commands that extract hidden payloads embedded within a steganographic image.

T1055.012Process HollowingEvidence2

additional payloads delivered through process hollowing and fileless techniques to minimize forensic artifacts.

T1070Indicator RemovalEvidence1

Suppresses system logging. Removes visibility from security consoles.

T1070.004File DeletionEvidence1

Aryaka's Aditya K Sood has uncovered BlackSanta, a new EDR killer that's being used in live malware campaigns.

T1140Deobfuscate/Decode Files or InformationEvidence2

It transmits detailed system-fingerprinting data to the attacker’s infrastructure and retrieves cryptographic material needed to decrypt embedded strings and instructions at runtime. Commands are dynamically decrypted and executed in memory

T1497Virtualization/Sandbox EvasionEvidence3

It inspects hostnames and username patterns, verifies system locale settings, and scans for virtualization artifacts commonly associated with sandboxes.

T1620Reflective Code LoadingEvidence2

...extracts data hidden in the image file using steganography and executes it in system memory.

T1622Debugger EvasionEvidence1

It also checks for debugging tools and security monitoring processes.

Defense Impairment

1 technique
T1112Modify RegistryEvidence1

...modifies a Registry value to reduce telemetry and automatic sample submission to Microsoft security cloud endpoints.

Credential Access

1 technique
T1003OS Credential DumpingEvidence1

it clears the runway before exfiltration... to achieve stealthy persistence and credential theft.

Discovery

6 techniques
T1012Query RegistryEvidence1

“the HypervisorEnforcedCodeIntegrity registry value is queried to determine whether Memory Integrity is enabled…”

T1057Process DiscoveryEvidence1

The core function of BlackSanta is to terminate security processes, which it does by: enumerating running processes comparing the names against a large hardcoded list

T1082System Information DiscoveryEvidence4

It transmits detailed system-fingerprinting data to the attacker’s infrastructure

T1087Account DiscoveryEvidence1

"collect sensitive information about... user accounts"

T1497Virtualization/Sandbox EvasionEvidence3

It inspects hostnames and username patterns, verifies system locale settings, and scans for virtualization artifacts commonly associated with sandboxes.

T1622Debugger EvasionEvidence1

It also checks for debugging tools and security monitoring processes.

Command and Control

1 technique
T1071.001Web ProtocolsEvidence2

Once the system passes validation, the malware establishes encrypted HTTPS-based command-and-control communication.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

“…exfiltrate sensitive data… while maintaining HTTPS communication with its command-and-control (C2) server…”

Other

4 techniques
T1562.001Disable or Modify ToolsEvidence3

...terminate security processes... retrieving the matching process IDs using the loaded drivers to unlock and terminate those processes at the kernel level | It also modifies Windows Defender settings to weaken security... BlackSanta adds Microsoft Defender exclusions... and modifies a Registry value to reduce telemetry and automatic sample submission

T1562Impair DefensesEvidence2

BlackSanta, a dedicated BYOVD-based component, disables antivirus and EDR protections at the kernel level

T1562.002Disable Windows Event LoggingEvidence1

“…suppressing system logging…”

T1562.006Indicator BlockingEvidence1

BlackSanta can also suppress Windows notifications to minimize or completely silence user alerts.

INDICATORS OF COMPROMISE

IOCs tracked for this family

19 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
8 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
10 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
hash.md5●●●●●●●●●●●●View more in app3 months ago
hash.md5●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
risky biz rssNews
Mar 13, 2026
Another residential proxy provider falls as authorities continue crackdowns

A newly uncovered tool designed to disable or kill endpoint detection and response products during active malware campaigns.

Read more
scworldNews
Mar 11, 2026
BlackSanta ‘EDR-killer’ malware targets HR departments | news | SC Media

A specialized module used to disable/evade endpoint detection and response (EDR) tooling as part of a staged infection chain delivered via phishing email. It enables full system compromise/control, performs host reconnaissance (OS, user accounts, configurations), and uses runtime decryption to hinder static detection and forensic analysis.

Read more
aryakaNews
Mar 10, 2026
Kernel In The Crosshairs: How The BlackSanta EDR-Killer Campaign Targets Recruitment Workflows | Aryaka Blog

A BYOVD-based malware component used to disable antivirus, EDR, Microsoft Defender protections, and logging at the kernel level to facilitate stealth, credential theft, reconnaissance, and exfiltration.

Read more
help net securityNews
Mar 10, 2026
HR, recruiters targeted in year-long malware campaign - Help Net Security

A previously undocumented defense-neutralization module ("EDR killer") that uses vulnerable kernel-mode drivers to gain low-level access and tamper with system memory/processes, programmatically identifying and interfering with endpoint security, telemetry, and logging agents prior to follow-on payload deployment.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching19

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping27

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.