Cybersecurity researchers are warning about a new attack campaign targeting human resources departments with malicious job applications disguised as legitimate resumes.
According to security research from Aryaka and reporting by Cybernews, attackers are sending resume files that secretly install malware designed to disable security tools and steal sensitive data.
The attack begins with a recruiter receiving what appears to be a normal job application hosted on a trusted cloud storage platform.
When downloaded, the file is actually an ISO disk image. Opening it mounts the archive and reveals a shortcut file that launches the infection chain.
That shortcut executes hidden PowerShell commands that extract malware concealed inside an image file using steganography. The payload is then loaded through DLL sideloading, allowing the malicious code to run under a legitimate application.
Once active, the malware connects to a remote command-and-control server and begins sending system information from the infected device.
Kernel-Level Security Bypass
A key component of the attack is a module known as BlackSanta, which uses a technique called Bring Your Own Vulnerable Driver (BYOVD) to disable antivirus and endpoint detection tools at the kernel level.
With defenses disabled, attackers can carry out additional activities such as credential theft, system reconnaissance, and data exfiltration.
Researchers say the campaign demonstrates how attackers are increasingly combining social engineering with advanced technical techniques.
Human resources departments often receive large numbers of resumes and external files, making them an attractive entry point for attackers.
Security experts recommend that organizations treat HR workflows with the same level of security controls
Leave a Reply