Overview
- Researchers say HR staff are lured to download resume-themed ISO files from cloud services that mount as drives and launch hidden scripts.
- The chain uses a .LNK-disguised PDF, PowerShell with steganography, SumatraPDF DLL sideloading, and process hollowing to run payloads in memory.
- BlackSanta enumerates security tools, kills them at the kernel level via vulnerable drivers such as RogueKiller Antirootkit and IObitUnlocker.sys, and suppresses Microsoft Defender telemetry and alerts.
- The malware fingerprints hosts, evades sandboxes and debuggers, disables cloud protections, and aborts on Russia or CIS systems.
- Aryaka could not retrieve the final payload due to an unavailable C2 and lacks telemetry on prevalence, though artifacts indicate more than a year of activity with interest in sensitive files and cryptocurrency artifacts.