Overview
- The intrusion begins with resume-themed ISO files hosted on cloud storage that mount a drive containing a fake PDF shortcut, which launches PowerShell to run in-memory code extracted via steganography.
- Subsequent stages download a SumatraPDF bundle that uses DLL sideloading of DWrite.dll and process hollowing to reach command-and-control and stage additional components.
- A newly documented module dubbed BlackSanta employs Bring Your Own Vulnerable Driver techniques using RogueKiller Antirootkit v3.1.0 and IObitUnlocker.sys v1.2.0.1 to terminate antivirus and EDR, weaken Defender settings, and suppress notifications.
- The malware performs extensive anti-analysis checks, modifies Defender SpyNet policies, inspects Memory Integrity configuration, and halts execution on systems located in Russia or CIS countries.
- Researchers attribute the campaign to Russian-speaking operators, note infrastructure such as resumebuilders.us and thresumebuilder.com, say it likely ran quietly for over a year, and warn that while data theft appears the goal, the active final payload could not be retrieved.