A Russian-speaking criminal operation has spent at least a year quietly compromising corporate HR teams through a method so simple it borders on elegant. The attacks begin with what looks like a perfectly normal job application sitting on a familiar cloud storage service. When a recruiter downloads and opens the file, a chain reaction begins that gradually strips away the company's security defences.
According to research from security firm Aryaka, a cyber criminal is targeting corporate HR teams with fake CVs that quietly install malware which can disable security tools before stealing data from infected machines, exploiting one of the most mundane workflows within an organization: hiring.
The multi-layered intrusion model blends social engineering, living-off-the-land execution, steganographic concealment, kernel-level exploitation, and encrypted command-and-control coordination. It begins in one of the most trusted workflows inside any organization: hiring. An HR professional receives what appears to be a perfectly normal resume. The candidate profile seems relevant. The hosting link points to a familiar cloud storage service. Nothing feels suspicious. A quick download, a double click, and an ISO file mounts, and the intrusion begins.
Once opened, the ISO disk image contains a Windows shortcut that quietly launches a series of hidden commands. Those commands unpack malware concealed inside an image file, a trick designed to evade security detection. The malware then connects to infrastructure controlled by the attackers and begins profiling the infected machine before pulling down further instructions. Most of the activity runs directly in memory, leaving fewer forensic traces behind.
The campaign's most concerning element is a component called BlackSanta. BlackSanta loads vulnerable kernel-mode drivers like RogueKiller Antirootkit and IObitUnlocker, allowing it to access and tamper with system memory and processes. Rather than functioning as a simple auxiliary payload, BlackSanta acts as a dedicated defence-neutralisation module that programmatically identifies and interferes with protection and monitoring processes prior to the deployment of follow-on stages. By targeting endpoint security engines alongside telemetry and logging agents, it directly reduces alert generation, limits behavioural logging, and weakens investigative visibility on compromised hosts.
Once it has that level of access, the malware can start knocking down defences: killing antivirus processes, disabling EDR agents, weakening Microsoft Defender, and even muting some logs that might otherwise tip off administrators that something is amiss. In practical terms, the tool clears security guards out of the building before the burglars start rifling through filing cabinets.
Available artefacts indicate that the activity has likely been running silently for over a year, which may suggest a targeted and low-noise operation. The timeline raises uncomfortable questions about how many organisations have been compromised without knowing.
Why recruitment? Threat actors increasingly target recruitment workflows because they exploit predictable human behaviour. Recruitment teams routinely open external attachments, download resumes from unfamiliar sources, and operate under significant time pressure to process large volumes of applicants. Unlike core IT teams, HR environments may not always be subject to the same level of hardened security controls. Yet, they often handle sensitive personally identifiable information (PII) and may have access to internal enterprise systems.
HR departments sit at a peculiar intersection in corporate security. HR departments handle critical information including personal identification numbers, financial records, medical data, and performance management records, making them attractive targets for cybercriminals. The centralisation of sensitive data creates a single point of failure where one compromised system can expose thousands of employee records.
The implications extend beyond this one campaign. Since 2022, EDR suppression tools have increased in sophistication, with malware designed to disable EDR systems on infected systems becoming more common. Multiple major ransomware groups now weaponise these capabilities. While EDR platforms often block attempted ransomware attacks, threat actors wielding vulnerable drivers can simply target specific security products and turn them off like a burglar would disable a home security system before entering.
There are no quick fixes here. Security researchers conclude that organisations should treat HR workflows with the same defensive rigour as finance and IT administrative functions. This means sandboxing file downloads, restricting what HR can install, enforcing multi-factor authentication on all systems, and treating the HR inbox with the same caution applied to other high-value targets. It means training that goes beyond awareness posters and extends to real-world scenarios with actual consequences.
The broader lesson cuts deeper than one attack campaign. HR remains a genuine vulnerability in corporate security not because the people who work there are careless, but because recruitment is inherently a process that asks trusted employees to interact with unknown external sources. The main problem is that implementation of effective countermeasures remains problematic. Personnel are being trained to acknowledge threats, but not how or with what to counter them. Additionally, existing awareness campaigns rarely reflect department-specific attack vectors or scenarios. Instead, they always rely on generic examples that do not align with operational realities and specific threats.
Until organisations recognise that recruitment workflows require the same security architecture as finance operations, HR departments will remain an open door.