FIN6 Sends Fake Resumes to Recruiters to Deploy BlackSanta EDR Killer

A sophisticated malware campaign has been targeting HR departments and job recruiters for over a year, delivering an EDR-killing component dubbed BlackSanta that disables security tools before deploying final payloads. Security researchers link the operation to Russian-speaking threat actors with potential ties to FIN6.

TL;DR

• What happened: Fake job applications deliver malware that disables endpoint protection
• Who's affected: HR teams, recruiters, and staffing agencies
• Attribution: Russian-speaking actors, potential FIN6 connection
• Action required: Train HR staff on ISO file risks; review EDR alerting for kernel driver abuse

The Attack Chain

Aryaka researchers detailed the campaign after discovering infections across multiple organizations. The attack begins with what appears to be a legitimate job application:

1. Initial Contact: Victim receives email with link to resume on cloud storage (Dropbox or similar)
2. ISO Delivery: The "resume" is actually an ISO disk image that Windows mounts automatically
3. Hidden Payload: Inside the ISO, a file appearing to be a PDF is actually a Windows shortcut (.lnk)
4. Execution Chain: The shortcut launches PowerShell, which extracts and executes hidden data from an image file

The attackers registered convincing domains including resumebuilders[.]us and thresumebuilder[.]com to host their payloads.

BlackSanta: The EDR Killer

The campaign's most dangerous component is a previously undocumented module researchers named BlackSanta. It's designed specifically to blind security teams by disabling endpoint detection and response tools.

BlackSanta abuses vulnerable kernel drivers to gain deep system access:

• RogueKiller Antirootkit v3.1.0 - Legitimate security tool with exploitable driver
• IObitUnlocker.sys v1.2.0.1 - Utility driver repurposed for malicious privilege escalation

Once loaded, BlackSanta can:

• Kill antivirus and EDR processes
• Disable Windows Defender components
• Suppress security telemetry and logging
• Tamper with memory protections

This bring-your-own-vulnerable-driver (BYOVD) technique has become increasingly common among ransomware groups. By using signed but vulnerable third-party drivers, attackers bypass Windows security controls that would block unsigned kernel code.

Defense Evasion Techniques

The malware demonstrates operational sophistication beyond the EDR killing:

Anti-Analysis Checks: Before executing, the malware checks for virtual machines, debuggers, sandboxes, and analysis tools. If any are detected, it terminates silently.

Geographic Filtering: The malware avoids infecting systems in Russia and CIS countries, a common indicator of Russian-speaking threat actor origin.

Registry Manipulation: It disables Windows Defender's SpyNet cloud protection and automatic sample submission, preventing cloud-based detection.

Process Hollowing: Final payloads are injected into legitimate processes, making them harder to distinguish from normal system activity.

Why Target HR?

Recruiters and HR departments make attractive targets for several reasons:

Trust in Document Formats: HR staff routinely open attachments from unknown senders. It's literally their job to review applications.

High-Value Access: HR systems often connect to payroll, identity management, and internal databases containing sensitive employee information.

Limited Security Training: Many organizations focus security awareness on technical staff while overlooking administrative functions.

Predictable Workflows: Attackers know exactly what HR teams expect to receive, making social engineering straightforward.

Previous FIN6 operations have targeted payment card data and financial systems. Compromising HR could provide access to payroll systems or employee credentials useful for further network access.

Connection to Known Threat Actors

While researchers identified the attackers as "Russian-speaking" based on code artifacts, attribution to FIN6 specifically remains tentative. FIN6 has historically focused on:

• Point-of-sale malware
• Magecart-style payment skimming
• Deploying ransomware (including Ryuk and Maze)

The HR targeting represents a potential expansion of their targeting profile. Other threat actors have similarly evolved their techniques as defenses improve against their traditional methods.

Detection Opportunities

Security teams can watch for several indicators:

ISO Mount Events: Windows logs when ISO files are mounted. Unexpected mounts from user profile folders warrant investigation.

Vulnerable Driver Loading: Monitor for the specific drivers BlackSanta abuses. Their legitimate use is rare in enterprise environments.

PowerShell Execution from Shortcuts: LNK files launching PowerShell is a classic attack pattern that security tools can flag.

Registry Modifications: Changes to Windows Defender settings should trigger alerts.

Outbound Connections: The malware's C2 domains and infrastructure can be blocked at the perimeter.

Recommendations

For HR teams:

• Treat ISO files as suspicious regardless of claimed content
• Request documents be submitted as standard formats (PDF, DOCX) rather than disk images
• Forward unusual applications to security for review

For security teams:

• Deploy application allowlisting to prevent vulnerable driver execution
• Monitor kernel driver loading events
• Implement network segmentation between HR systems and sensitive infrastructure
• Conduct regular security awareness training specifically for HR workflows

Why This Matters

This campaign highlights the evolution of targeted attacks against specific job functions. Attackers aren't just sending generic phishing, they're studying how HR departments work and crafting attacks that fit naturally into existing workflows.

The EDR-killer component is equally concerning. Organizations invest heavily in endpoint security, but BYOVD attacks can neutralize those defenses before they detect anything. Security architecture needs to assume endpoint protection can fail and include monitoring at other layers.

For organizations hiring, this serves as a reminder that the hiring process itself can be weaponized. Every application from an unknown sender is a potential attack vector.

FAQ

How do I check if my organization was targeted?

Search email logs for attachments with ISO extensions or links to the known attacker domains. Review endpoint logs for the vulnerable driver signatures BlackSanta uses.

Are legitimate resumes ever sent as ISO files?

Almost never. Job applicants typically send Word documents, PDFs, or links to LinkedIn profiles. An ISO "resume" should be treated as highly suspicious regardless of the sender's apparent legitimacy.