A new malware campaign targeting human resources and recruiting staff has seen attackers distribute malicious files disguised as job applications.

The operation, uncovered by Aryaka Threat Research Lab, uses a specialized tool known as BlackSanta to disable endpoint detection and response (EDR) systems after a device has been compromised.

The campaign mainly spreads through phishing emails containing links to files presented as resumes. When opened, the files trigger a multi-stage infection process that quietly deploys malware on the victim's system. The researchers said the attack chain allows the threat actors to gather detailed system information before launching additional payloads.

Aryaka's analysis indicates that the group behind the operation is likely Russian-speaking.

Resumes and Legitimate Documents Impersonated 

The malicious files used in the campaign typically imitate legitimate documents such as resumes. Once downloaded and executed, the malware begins a sequence of actions designed to profile the system and evade security monitoring.

Key behaviors observed in the attack include:

• System reconnaissance to collect operating system and user data

• Checks for virtual machines, sandboxes and debugging tools

• Geographic filtering to avoid running in restricted regions

• Attempts to disable antivirus and EDR security controls

• Downloading additional malicious payloads after initial compromise

These steps allow the attackers to maintain access while reducing the chance of detection.

Recruitment Workflows Exploited

A central element of the campaign is the BlackSanta module itself. The component functions as an EDR-killer, attempting to neutralize security software that might otherwise block malicious activity. 

According to the Aryaka Threat Research Lab's report, the malware also performs checks on system language, hostnames and running processes before carrying out further actions.

Read more on endpoint detection and response security: Escaping the Detection Trap: Is EDR Giving You a False Sense of Security? 

Aryaka warned that recruitment teams may be particularly vulnerable because their daily tasks involve opening attachments and downloading candidate documents. Attackers exploit this routine behavior to disguise malicious payloads as legitimate applications.

"The campaign's ability to exfiltrate sensitive information while maintaining encrypted communications underscores both its persistence and the risk posed to targeted organizations," the researchers wrote. 

"Over the past year, the malware has operated largely undetected, showcasing the level of planning, precision, and technical capability employed by the threat actor."

Improved monitoring of suspicious downloads and stronger endpoint protection could help organizations detect similar attacks earlier in the intrusion process.