"An HR professional receives what appears to be a perfectly normal resume. The candidate profile seems relevant. The hosting link points to a familiar cloud storage service. Nothing feels suspicious. A quick download, a double click, and an ISO file mounts, and the intrusion begins."
"The malicious document arrives as an ISO disk image, a file format Windows can mount like a virtual drive. Once opened, the archive contains a shortcut that quietly launches hidden commands in the background. Those commands unpack malware concealed inside an image file - a trick designed to make the payload harder for security tools to spot."
"The campaign's most concerning feature is a component dubbed BlackSanta, which the report describes as an EDR killer - software specifically designed to disable the very tools meant to detect intrusions."
A Russian-speaking cybercriminal operation exploits corporate hiring workflows by distributing fake CVs through cloud storage services. When HR professionals open these documents, an ISO disk image mounts automatically, triggering hidden commands that deploy malware. The malware disables security tools, establishes remote connections to attacker infrastructure, and gathers system information while operating primarily in memory to avoid detection. The campaign includes a component called BlackSanta, specifically designed to disable endpoint detection and response tools. This sophisticated attack leverages the trust HR teams place in job applications and the familiarity of legitimate cloud storage platforms to gain initial system access.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]